BytecodeGenerator needs to be re-entrant to support miranda functions
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2015-03-13  Ryosuke Niwa  <rniwa@webkit.org>
2
3         BytecodeGenerator needs to be re-entrant to support miranda functions
4         https://bugs.webkit.org/show_bug.cgi?id=142627
5
6         Reviewed by Filip Pizlo.
7
8         Made CodeCache::getGlobalCodeBlock and CodeCache::getFunctionExecutableFromGlobalCode re-entrant
9         by not keeping AddResult while invoking BytecodeGenerator::generate.
10
11         This is needed to support Miranda functions since they need to be lazily initialized.
12
13         * runtime/CodeCache.cpp:
14         (JSC::CodeCache::getGlobalCodeBlock):
15         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
16         * runtime/CodeCache.h:
17         (JSC::CodeCacheMap::findCacheAndUpdateAge): Extracted from add.
18         (JSC::CodeCacheMap::addCache): Extracted from add.
19         (JSC::CodeCacheMap::add): Deleted.
20
21 2015-03-13  Mark Lam  <mark.lam@apple.com>
22
23         Introduce WTF::Atomic to wrap std::atomic for a friendlier CAS.
24         <https://webkit.org/b/142661>
25
26         Reviewed by Filip Pizlo.
27
28         Changed CodeBlock, and the DFG's crashLock to use WTF::Atomic instead of
29         std::atomic.
30
31         * bytecode/CodeBlock.cpp:
32         (JSC::CodeBlock::CodeBlock):
33         (JSC::CodeBlock::visitAggregate):
34         * bytecode/CodeBlock.h:
35         * dfg/DFGCommon.cpp:
36         (JSC::DFG::startCrashing):
37
38 2015-03-12  Mark Lam  <mark.lam@apple.com>
39
40         Change the DFG crashLock to use std::atomic.
41         <https://webkit.org/b/142649>
42
43         Reviewed by Filip Pizlo.
44
45         * dfg/DFGCommon.cpp:
46         (JSC::DFG::startCrashing):
47         (JSC::DFG::isCrashing):
48
49 2015-03-12  Filip Pizlo  <fpizlo@apple.com>
50
51         Bytecode liveness analysis should have more lambdas and fewer sets
52         https://bugs.webkit.org/show_bug.cgi?id=142647
53
54         Reviewed by Mark Lam.
55         
56         In bug 141174 I'll need to identify all of the bytecode kill sites. This requires hooking into
57         the bytecode analysis' stepOverFunction method, except in such a way that we observe uses that
58         are not in outs. This refactors stepOverFunction so that you can pass it use/def functors that
59         can either be used to propagate outs (as we do right now) or to additionally detect kills or
60         whatever else.
61         
62         In order to achieve this, the liveness analysis was moved off of maintaining uses/defs
63         bitvectors. This wasn't helping the abstraction and was probably inefficient. The new code
64         should be a bit faster since we don't have to clear uses/defs bitvectors on each instruction. On
65         the other hand, being able to intercept each use means that our code for exception handlers is
66         no longer a bitwise-merge; it requires finding set bits. Fortunately, this code only kicks in
67         for instructions inside a try, and its performance is O(live at catch), so that's probably not
68         bad.
69
70         * bytecode/BytecodeLivenessAnalysis.cpp:
71         (JSC::indexForOperand):
72         (JSC::stepOverInstruction):
73         (JSC::computeLocalLivenessForBytecodeOffset):
74         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
75         (JSC::setForOperand): Deleted.
76         * bytecode/BytecodeUseDef.h:
77         (JSC::computeUsesForBytecodeOffset):
78         (JSC::computeDefsForBytecodeOffset):
79         * bytecode/CodeBlock.cpp:
80
81 2015-03-12  Ryosuke Niwa  <rniwa@webkit.org>
82
83         "this" should be in TDZ until super is called in the constructor of a derived class
84         https://bugs.webkit.org/show_bug.cgi?id=142527
85
86         Reviewed by Mark Hahnenberg.
87
88         DFG and FTL implementations co-authored by Filip Pizlo.
89
90         In ES6 class syntax, "this" register must be in the "temporal dead zone" (TDZ) and throw ReferenceError until
91         super() is called inside the constructor of a derived class.
92
93         Added op_check_tdz, a new OP code, which throws a reference error when the first operand is an empty value
94         to all tiers of JIT and LLint. The op code throws in the slow path on the basis that a TDZ error should be
95         a programming error and not a part of the programs' normal control flow. In DFG, this op code is represented
96         by a no-op must-generate node CheckNotEmpty modeled after CheckCell.
97
98         Also made the constructor of a derived class assign the empty value to "this" register rather than undefined
99         so that ThisNode can emit the op_check_tdz to check the initialized-ness of "this" in such a constructor.
100
101         * bytecode/BytecodeList.json: Added op_check_tdz.
102         * bytecode/BytecodeUseDef.h:
103         (JSC::computeUsesForBytecodeOffset): Ditto.
104         (JSC::computeDefsForBytecodeOffset): Ditto.
105         * bytecode/CodeBlock.cpp:
106         (JSC::CodeBlock::dumpBytecode): Ditto.
107         * bytecode/ExitKind.cpp:
108         (JSC::exitKindToString): Added TDZFailure.
109         * bytecode/ExitKind.h: Ditto.
110         * bytecompiler/BytecodeGenerator.cpp:
111         (JSC::BytecodeGenerator::BytecodeGenerator): Assign the empty value to "this" register to indicate it's in TDZ.
112         (JSC::BytecodeGenerator::emitTDZCheck): Added.
113         (JSC::BytecodeGenerator::emitReturn): Emit the TDZ check since "this" can still be in TDZ if super() was never
114         called. e.g. class B extends A { constructor() { } }
115         * bytecompiler/BytecodeGenerator.h:
116         * bytecompiler/NodesCodegen.cpp:
117         (JSC::ThisNode::emitBytecode): Always emit the TDZ check if we're inside the constructor of a derived class.
118         We can't omit this check even if the result was ignored per spec.
119         * dfg/DFGAbstractInterpreterInlines.h:
120         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Previously, empty value could never appear
121         in a local variable. This is no longer true so generalize this code. Also added the support for CheckNotEmpty.
122         Like CheckCell, we phantomize this DFG node in the constant folding phase if the type of the operand is already
123         found to be not empty. Otherwise filter out SpecEmpty.
124         * dfg/DFGByteCodeParser.cpp:
125         (JSC::DFG::ByteCodeParser::parseBlock): Added op_check_tdz.
126         * dfg/DFGCapabilities.cpp:
127         (JSC::DFG::capabilityLevel): op_check_tdz can be compiled and inlined.
128         * dfg/DFGClobberize.h:
129         (JSC::DFG::clobberize): CheckNotEmpty doesn't read or write values.
130         * dfg/DFGConstantFoldingPhase.cpp:
131         (JSC::DFG::ConstantFoldingPhase::foldConstants): Convert CheckNotEmpty to a phantom if non-emptiness had already
132         been proven for the operand prior to this node.
133         * dfg/DFGDoesGC.cpp:
134         (JSC::DFG::doesGC): CheckNotEmpty does not trigger GC.
135         * dfg/DFGFixupPhase.cpp:
136         (JSC::DFG::FixupPhase::fixupNode): CheckNotEmpty is a no-op in the fixup phase.
137         * dfg/DFGNodeType.h: CheckNotEmpty cannot be removed even if the result was ignored. See ThisNode::emitBytecode.
138         * dfg/DFGPredictionPropagationPhase.cpp:
139         (JSC::DFG::PredictionPropagationPhase::propagate): CheckNotEmpty doesn't return any value.
140         * dfg/DFGSafeToExecute.h:
141         (JSC::DFG::safeToExecute): CheckNotEmpty doesn't load from heap so it's safe.
142         * dfg/DFGSpeculativeJIT32_64.cpp:
143         (JSC::DFG::SpeculativeJIT::compile): Speculative the operand to be not empty. OSR exit if the speculation fails.
144         * dfg/DFGSpeculativeJIT64.cpp:
145         (JSC::DFG::SpeculativeJIT::compile): Ditto.
146         * ftl/FTLCapabilities.cpp:
147         (JSC::FTL::canCompile): CheckNotEmpty can be compiled in FTL.
148         * ftl/FTLLowerDFGToLLVM.cpp:
149         (JSC::FTL::LowerDFGToLLVM::compileNode): Calls compileCheckNotEmpty for CheckNotEmpty.
150         (JSC::FTL::LowerDFGToLLVM::compileCheckNotEmpty): OSR exit with "TDZFailure" if the operand is not empty.
151         * jit/JIT.cpp:
152         (JSC::JIT::privateCompileMainPass): Added op_check_tdz.
153         (JSC::JIT::privateCompileSlowCases): Ditto.
154         * jit/JIT.h:
155         * jit/JITOpcodes.cpp:
156         (JSC::JIT::emit_op_check_tdz): Implements op_check_tdz in Baseline JIT.
157         (JSC::JIT::emitSlow_op_check_tdz): Ditto.
158         * jit/JITOpcodes32_64.cpp:
159         (JSC::JIT::emit_op_check_tdz): Ditto.
160         (JSC::JIT::emitSlow_op_check_tdz): Ditto.
161         * llint/LowLevelInterpreter32_64.asm: Implements op_check_tdz in LLint.
162         * llint/LowLevelInterpreter64.asm: Ditto.
163         * runtime/CommonSlowPaths.cpp:
164         (JSC::SLOW_PATH_DECL): Throws a reference error for op_check_tdz. Shared by LLint and Baseline JIT.
165         * runtime/CommonSlowPaths.h:
166         * tests/stress/class-syntax-no-loop-tdz.js: Added.
167         * tests/stress/class-syntax-no-tdz-in-catch.js: Added.
168         * tests/stress/class-syntax-no-tdz-in-conditional.js: Added.
169         * tests/stress/class-syntax-no-tdz-in-loop-no-inline-super.js: Added.
170         * tests/stress/class-syntax-no-tdz-in-loop.js: Added.
171         * tests/stress/class-syntax-no-tdz.js: Added.
172         * tests/stress/class-syntax-tdz-in-catch.js: Added.
173         * tests/stress/class-syntax-tdz-in-conditional.js: Added.
174         * tests/stress/class-syntax-tdz-in-loop.js: Added.
175         * tests/stress/class-syntax-tdz.js: Added.
176
177 2015-03-12  Yusuke Suzuki  <utatane.tea@gmail.com>
178
179         Integrate MapData into JSMap and JSSet
180         https://bugs.webkit.org/show_bug.cgi?id=142556
181
182         Reviewed by Filip Pizlo.
183
184         This patch integrates MapData into JSMap and JSSet.
185         This removes 2 object allocation per one JSMap / JSSet.
186
187         MapDataImpl is specialized into MapData and SetData.
188         In the case of SetData, it does not have the dummy values
189         previously stored in the MapDataImpl. So the storage size of SetData
190         becomes the half of the previous implementation.
191
192         And now MapData and SetData are completely integrated into JSMap and JSSet,
193         these structures are not exposed to the other code even in WebCore world.
194
195         And at the same time, this patch fixes missing destroy functions
196         in JSMapIterator and JSSetIterator.
197         They are needed because MapData::const_iterator is a non-trivial destructor.
198
199         * CMakeLists.txt:
200         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
201         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
202         * JavaScriptCore.xcodeproj/project.pbxproj:
203         * runtime/JSMap.cpp:
204         (JSC::JSMap::destroy):
205         (JSC::JSMap::visitChildren):
206         (JSC::JSMap::copyBackingStore):
207         (JSC::JSMap::has):
208         (JSC::JSMap::size):
209         (JSC::JSMap::get):
210         (JSC::JSMap::set):
211         (JSC::JSMap::clear):
212         (JSC::JSMap::remove):
213         (JSC::JSMap::finishCreation): Deleted.
214         * runtime/JSMap.h:
215         (JSC::JSMap::Entry::key):
216         (JSC::JSMap::Entry::value):
217         (JSC::JSMap::Entry::visitChildren):
218         (JSC::JSMap::Entry::setKey):
219         (JSC::JSMap::Entry::setKeyWithoutWriteBarrier):
220         (JSC::JSMap::Entry::setValue):
221         (JSC::JSMap::Entry::clear):
222         (JSC::JSMap::begin):
223         (JSC::JSMap::end):
224         (JSC::JSMap::JSMap):
225         (JSC::JSMap::mapData): Deleted.
226         * runtime/JSMapIterator.cpp:
227         (JSC::JSMapIterator::finishCreation):
228         (JSC::JSMapIterator::destroy):
229         (JSC::JSMapIterator::visitChildren):
230         * runtime/JSMapIterator.h:
231         (JSC::JSMapIterator::JSMapIterator):
232         * runtime/JSSet.cpp:
233         (JSC::JSSet::destroy):
234         (JSC::JSSet::visitChildren):
235         (JSC::JSSet::copyBackingStore):
236         (JSC::JSSet::has):
237         (JSC::JSSet::size):
238         (JSC::JSSet::add):
239         (JSC::JSSet::clear):
240         (JSC::JSSet::remove):
241         (JSC::JSSet::finishCreation): Deleted.
242         * runtime/JSSet.h:
243         (JSC::JSSet::Entry::key):
244         (JSC::JSSet::Entry::value):
245         (JSC::JSSet::Entry::visitChildren):
246         (JSC::JSSet::Entry::setKey):
247         (JSC::JSSet::Entry::setKeyWithoutWriteBarrier):
248         (JSC::JSSet::Entry::setValue):
249         (JSC::JSSet::Entry::clear):
250         (JSC::JSSet::begin):
251         (JSC::JSSet::end):
252         (JSC::JSSet::JSSet):
253         (JSC::JSSet::mapData): Deleted.
254         * runtime/JSSetIterator.cpp:
255         (JSC::JSSetIterator::finishCreation):
256         (JSC::JSSetIterator::visitChildren):
257         (JSC::JSSetIterator::destroy):
258         * runtime/JSSetIterator.h:
259         (JSC::JSSetIterator::JSSetIterator):
260         * runtime/MapConstructor.cpp:
261         (JSC::constructMap):
262         * runtime/MapData.h:
263         (JSC::MapDataImpl::const_iterator::key):
264         (JSC::MapDataImpl::const_iterator::value):
265         (JSC::MapDataImpl::size):
266         (JSC::MapDataImpl<Entry>::MapDataImpl):
267         (JSC::MapDataImpl<Entry>::clear):
268         (JSC::MapDataImpl<Entry>::KeyType::KeyType):
269         (JSC::MapDataImpl<Entry>::const_iterator::internalIncrement):
270         (JSC::MapDataImpl<Entry>::const_iterator::ensureSlot):
271         (JSC::MapDataImpl<Entry>::const_iterator::const_iterator):
272         (JSC::MapDataImpl<Entry>::const_iterator::~const_iterator):
273         (JSC::MapDataImpl<Entry>::const_iterator::operator):
274         (JSC::=):
275         (JSC::MapData::const_iterator::key): Deleted.
276         (JSC::MapData::const_iterator::value): Deleted.
277         (JSC::MapData::create): Deleted.
278         (JSC::MapData::createStructure): Deleted.
279         (JSC::MapData::size): Deleted.
280         (JSC::MapData::clear): Deleted.
281         (JSC::MapData::KeyType::KeyType): Deleted.
282         (JSC::MapData::const_iterator::internalIncrement): Deleted.
283         (JSC::MapData::const_iterator::ensureSlot): Deleted.
284         (JSC::MapData::const_iterator::const_iterator): Deleted.
285         (JSC::MapData::const_iterator::~const_iterator): Deleted.
286         (JSC::MapData::const_iterator::operator*): Deleted.
287         (JSC::MapData::const_iterator::end): Deleted.
288         (JSC::MapData::const_iterator::operator!=): Deleted.
289         (JSC::MapData::const_iterator::operator==): Deleted.
290         * runtime/MapDataInlines.h: Renamed from Source/JavaScriptCore/runtime/MapData.cpp.
291         (JSC::MapDataImpl<Entry>::find):
292         (JSC::MapDataImpl<Entry>::contains):
293         (JSC::MapDataImpl<Entry>::add):
294         (JSC::MapDataImpl<Entry>::set):
295         (JSC::MapDataImpl<Entry>::get):
296         (JSC::MapDataImpl<Entry>::remove):
297         (JSC::MapDataImpl<Entry>::replaceAndPackBackingStore):
298         (JSC::MapDataImpl<Entry>::replaceBackingStore):
299         (JSC::MapDataImpl<Entry>::ensureSpaceForAppend):
300         (JSC::MapDataImpl<Entry>::visitChildren):
301         (JSC::MapDataImpl<Entry>::copyBackingStore):
302         * runtime/MapPrototype.cpp:
303         (JSC::getMap):
304         (JSC::mapProtoFuncClear):
305         (JSC::mapProtoFuncDelete):
306         (JSC::mapProtoFuncForEach):
307         (JSC::mapProtoFuncGet):
308         (JSC::mapProtoFuncHas):
309         (JSC::mapProtoFuncSet):
310         (JSC::mapProtoFuncSize):
311         (JSC::getMapData): Deleted.
312         * runtime/SetPrototype.cpp:
313         (JSC::getSet):
314         (JSC::setProtoFuncAdd):
315         (JSC::setProtoFuncClear):
316         (JSC::setProtoFuncDelete):
317         (JSC::setProtoFuncForEach):
318         (JSC::setProtoFuncHas):
319         (JSC::setProtoFuncSize):
320         (JSC::getMapData): Deleted.
321         * runtime/VM.cpp:
322         (JSC::VM::VM):
323         * runtime/VM.h:
324
325 2015-03-12  Mark Lam  <mark.lam@apple.com>
326
327         Use std::atomic for CodeBlock::m_visitAggregateHasBeenCalled.
328         <https://webkit.org/b/142640>
329
330         Reviewed by Mark Hahnenberg.
331
332         We used to spin our own compare and swap on a uint8_t.  Now that we can
333         use C++11, let's use std::atomic instead.
334
335         * bytecode/CodeBlock.cpp:
336         (JSC::CodeBlock::visitAggregate):
337         - The CAS here needs std::memory_order_acquire ordering because it
338           requires lock acquisition semantics to visit the CodeBlock.
339
340         * bytecode/CodeBlock.h:
341         (JSC::CodeBlockSet::mark):
342         * heap/CodeBlockSet.cpp:
343         (JSC::CodeBlockSet::clearMarksForFullCollection):
344         (JSC::CodeBlockSet::clearMarksForEdenCollection):
345         - These can go with relaxed ordering because they are all done before
346           the GC starts parallel marking.
347
348 2015-03-12  Csaba Osztrogonác  <ossy@webkit.org>
349
350         [cmake] Fix the incremental build issue revealed by r181419
351         https://bugs.webkit.org/show_bug.cgi?id=142613
352
353         Reviewed by Carlos Garcia Campos.
354
355         * CMakeLists.txt:
356
357 2015-03-11  Ryosuke Niwa  <rniwa@webkit.org>
358
359         "static" should not be a reserved keyword in non-strict mode even when ES6 class is enabled
360         https://bugs.webkit.org/show_bug.cgi?id=142600
361
362         Reviewed by Mark Lam.
363
364         Make "static" RESERVED_IF_STRICT and manually detect it in parseClass.
365
366         No new tests. This is already checked by js/reserved-words.html and js/keywords-and-reserved_words.html
367
368         * parser/Keywords.table:
369         * parser/Parser.cpp:
370         (JSC::Parser<LexerType>::parseClass):
371         * parser/ParserTokens.h:
372
373 2015-03-11  Geoffrey Garen  <ggaren@apple.com>
374
375         Many users of Heap::reportExtraMemory* are wrong, causing lots of memory growth
376         https://bugs.webkit.org/show_bug.cgi?id=142593
377
378         Reviewed by Andreas Kling.
379
380         Adopt deprecatedReportExtraMemory as a short-term fix for runaway
381         memory growth in these cases where we have not adopted
382         reportExtraMemoryVisited.
383
384         Long-term, we should use reportExtraMemoryAllocated+reportExtraMemoryVisited.
385         That's tracked by https://bugs.webkit.org/show_bug.cgi?id=142595.
386
387         * API/JSBase.cpp:
388         (JSReportExtraMemoryCost):
389         * runtime/SparseArrayValueMap.cpp:
390         (JSC::SparseArrayValueMap::add):
391
392 2015-03-11  Geoffrey Garen  <ggaren@apple.com>
393
394         Refactored the JSC::Heap extra cost API for clarity and to make some known bugs more obvious
395         https://bugs.webkit.org/show_bug.cgi?id=142589
396
397         Reviewed by Andreas Kling.
398
399         * API/JSBase.cpp:
400         (JSReportExtraMemoryCost): Added a FIXME to annotate a known bug.
401
402         * bytecode/CodeBlock.cpp:
403         (JSC::CodeBlock::CodeBlock):
404         (JSC::CodeBlock::visitAggregate):
405         * bytecode/CodeBlock.h:
406         (JSC::CodeBlock::setJITCode): Updated for rename.
407
408         * heap/Heap.cpp:
409         (JSC::Heap::Heap):
410         (JSC::Heap::reportExtraMemoryAllocatedSlowCase):
411         (JSC::Heap::deprecatedReportExtraMemorySlowCase): Renamed our reporting
412         APIs to clarify their relationship to each other: One must report extra
413         memory at the time of allocation, and at the time the GC visits it.
414
415         (JSC::Heap::extraMemorySize):
416         (JSC::Heap::size):
417         (JSC::Heap::capacity):
418         (JSC::Heap::sizeAfterCollect):
419         (JSC::Heap::willStartCollection): Updated for renames. Added explicit
420         API for deprecated users who can't use our best API.
421  
422         (JSC::Heap::reportExtraMemoryCostSlowCase): Deleted.
423         (JSC::Heap::extraSize): Deleted.
424
425         * heap/Heap.h:
426         * heap/HeapInlines.h:
427         (JSC::Heap::reportExtraMemoryAllocated):
428         (JSC::Heap::reportExtraMemoryVisited):
429         (JSC::Heap::deprecatedReportExtraMemory):
430         (JSC::Heap::reportExtraMemoryCost): Deleted. Ditto.
431
432         * heap/SlotVisitor.h:
433         * heap/SlotVisitorInlines.h:
434         (JSC::SlotVisitor::reportExtraMemoryVisited):
435         (JSC::SlotVisitor::reportExtraMemoryUsage): Deleted. Moved this
436         functionality into the Heap since it's pretty detailed in its access
437         to the heap.
438
439         * runtime/JSArrayBufferView.cpp:
440         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
441         * runtime/JSGenericTypedArrayViewInlines.h:
442         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): Updated for
443         renames.
444
445         * runtime/JSString.cpp:
446         (JSC::JSString::visitChildren):
447         (JSC::JSRopeString::resolveRopeToAtomicString):
448         (JSC::JSRopeString::resolveRope):
449         * runtime/JSString.h:
450         (JSC::JSString::finishCreation): Updated for renames.
451
452         * runtime/SparseArrayValueMap.cpp:
453         (JSC::SparseArrayValueMap::add): Added FIXME.
454
455         * runtime/WeakMapData.cpp:
456         (JSC::WeakMapData::visitChildren): Updated for rename.
457
458 2015-03-11  Ryosuke Niwa  <rniwa@webkit.org>
459
460         Calling super() in a base class results in a crash
461         https://bugs.webkit.org/show_bug.cgi?id=142563
462
463         Reviewed by Filip Pizlo.
464
465         The bug was caused by BytecodeGenerator trying to generate "super" expression inside the constructor of a base class.
466         Disallow that by keeping track of whether "super" has been used in the current scope or not (needsSuperBinding flag)
467         and then throwing a syntax error in parseFunctionInfo if it was used and the current scope wasn't the constructor of
468         a derived class.
469
470         * parser/Parser.cpp:
471         (JSC::Parser<LexerType>::parseFunctionInfo): Don't allow super() or super.foo outside the constructor of a derived class.
472         (JSC::Parser<LexerType>::parseClass): Pass in the constructor kind to parseGetterSetter.
473         (JSC::Parser<LexerType>::parseGetterSetter): Ditto to parseFunctionInfo.
474         (JSC::Parser<LexerType>::parseMemberExpression): Set needsSuperBinding flag true on the containing scope.
475         * parser/Parser.h:
476         (JSC::Scope::Scope):
477         (JSC::Scope::needsSuperBinding): Added.
478         (JSC::Scope::setNeedsSuperBinding): Added.
479
480 2015-03-10  Darin Adler  <darin@apple.com>
481
482         Some event handler fixes
483         https://bugs.webkit.org/show_bug.cgi?id=142474
484
485         Reviewed by Anders Carlsson.
486
487         * inspector/InjectedScriptManager.cpp:
488         (Inspector::InjectedScriptManager::createInjectedScript): Call clearException.
489         I spotted the fact it was missing by auditing all the calls to JSC::call.
490
491 2015-03-10  Matthew Mirman  <mmirman@apple.com>
492
493         Functions should have initialization precedence over arguments. 
494         https://bugs.webkit.org/show_bug.cgi?id=142550
495         rdar://problem/19702564
496
497         Reviewed by Geoffrey Garen.
498
499         * bytecompiler/BytecodeGenerator.cpp:
500         (JSC::BytecodeGenerator::BytecodeGenerator):
501         (JSC::BytecodeGenerator::initializeCapturedVariable):
502         * tests/stress/initialize_functions_after_arguments.js: Added.
503
504 2015-03-10  Andreas Kling  <akling@apple.com>
505
506         Eden collections should trigger sweep of MarkedBlocks containing new objects.
507         <https://webkit.org/b/142538>
508
509         Reviewed by Geoffrey Garen.
510
511         Take a snapshot of all MarkedBlocks with new objects as part of Eden collections,
512         and append that to the IncrementalSweeper's working set.
513
514         This ensures that we run destructors for objects that were discovered to be garbage during
515         Eden collections, instead of delaying their teardown until the next full collection,
516         or the next allocation cycle for their block.
517
518         * heap/Heap.cpp:
519         (JSC::Heap::snapshotMarkedSpace): For Eden collections, snapshot the list of MarkedBlocks
520         that contain new objects, since those are the only ones we're interested in.
521         Also use Vector::resizeToFit() to allocate the snapshot for full collections, since we know
522         the final size we need up front.
523
524         (JSC::Heap::notifyIncrementalSweeper): For Eden collections, tell the IncrementalSweeper
525         to add the block snapshot (taken earlier) to its existing set of blocks instead of replacing
526         it entirely. This allows Eden collections and incremental sweeping to occur interleaved with
527         each other without missing destruction opportunities.
528
529         * heap/IncrementalSweeper.h:
530         * heap/IncrementalSweeper.cpp:
531         (JSC::IncrementalSweeper::doSweep):
532         (JSC::IncrementalSweeper::sweepNextBlock): Change the way we iterate over the sweeper's
533         work list: instead of keeping an index for the next block, just pop from the end of the list.
534         This allows us to add new blocks and deduplicate the list without disturbing iteration.
535
536         (JSC::IncrementalSweeper::startSweeping): Make this take a Vector<MarkedBlock>&& so we can
537         pass ownership of this Vector efficiently from Heap to IncrementalSweeper.
538
539         (JSC::IncrementalSweeper::addBlocksAndContinueSweeping): Added. This is used by Eden
540         collections to add a set of MarkedBlocks with new objects to the sweeper's existing
541         working set and kick the timer.
542
543         * heap/MarkedSpace.h:
544         (JSC::MarkedSpace::blocksWithNewObjects): Expose the list of MarkedBlocks with new objects.
545
546 2015-03-10  Alex Christensen  <achristensen@webkit.org>
547
548         Use unsigned for HashSet size.
549         https://bugs.webkit.org/show_bug.cgi?id=142518
550
551         Reviewed by Benjamin Poulain.
552
553         * dfg/DFGAvailabilityMap.cpp:
554         (JSC::DFG::AvailabilityMap::prune):
555         * ftl/FTLOSRExitCompiler.cpp:
556         (JSC::FTL::compileStub):
557         * heap/MarkedBlockSet.h:
558         (JSC::MarkedBlockSet::remove):
559         * runtime/WeakMapData.h:
560
561 2015-03-10  Mark Lam  <mark.lam@apple.com>
562
563         Use std::numeric_limits<unsigned>::max() instead of (unsigned)-1.
564         <https://webkit.org/b/142539>
565
566         Reviewed by Benjamin Poulain.
567
568         * jit/JIT.cpp:
569         (JSC::JIT::JIT):
570         (JSC::JIT::privateCompileMainPass):
571         (JSC::JIT::privateCompileSlowCases):
572         (JSC::JIT::privateCompile):
573         (JSC::JIT::privateCompileExceptionHandlers):
574         * jit/JITInlines.h:
575         (JSC::JIT::emitNakedCall):
576         (JSC::JIT::addSlowCase):
577         (JSC::JIT::addJump):
578         (JSC::JIT::emitJumpSlowToHot):
579         (JSC::JIT::emitGetVirtualRegister):
580         * jit/SlowPathCall.h:
581         (JSC::JITSlowPathCall::call):
582         * yarr/Yarr.h:
583
584 2015-03-10  Mark Lam  <mark.lam@apple.com>
585
586         [Win] JSC Build Warnings Need to be Resolved.
587         <https://webkit.org/b/142366>
588
589         Reviewed by Brent Fulgham.
590
591         Applied some benign changes to make the MSVC compiler happy.
592
593         * bytecode/CodeBlock.cpp:
594         (JSC::CodeBlock::dumpBytecode):
595         * dfg/DFGSpeculativeJIT32_64.cpp:
596         (JSC::DFG::SpeculativeJIT::fillJSValue):
597         * runtime/BasicBlockLocation.cpp:
598         (JSC::BasicBlockLocation::getExecutedRanges):
599         * runtime/ControlFlowProfiler.cpp:
600         (JSC::ControlFlowProfiler::hasBasicBlockAtTextOffsetBeenExecuted):
601
602 2015-03-10  Yusuke Suzuki  <utatane.tea@gmail.com>
603
604         Upgrade Map, Set and WeakMap constructor interface
605         https://bugs.webkit.org/show_bug.cgi?id=142348
606
607         Reviewed by Filip Pizlo.
608
609         In the latest ES6 spec, Map and Set constructors take initialization data sets
610         as iterable value. And iterate it and add the values into the constructed one.
611
612         This is breaking change because the old constructor interface is
613         already shipped in Safari 8.
614
615         * runtime/MapConstructor.cpp:
616         (JSC::callMap):
617         (JSC::constructMap):
618         (JSC::MapConstructor::getCallData):
619         * runtime/SetConstructor.cpp:
620         (JSC::callSet):
621         (JSC::constructSet):
622         * runtime/WeakMapConstructor.cpp:
623         (JSC::callWeakMap):
624         (JSC::constructWeakMap):
625         (JSC::WeakMapConstructor::getCallData):
626         * tests/stress/map-constructor-adder.js: Added.
627         * tests/stress/map-constructor.js: Added.
628         (testCallTypeError):
629         (testTypeError):
630         (for):
631         * tests/stress/set-constructor-adder.js: Added.
632         (Set.prototype.add):
633         * tests/stress/set-constructor.js: Added.
634         (for):
635         * tests/stress/weak-map-constructor-adder.js: Added.
636         * tests/stress/weak-map-constructor.js: Added.
637         (testCallTypeError):
638         (testTypeError):
639         (for):
640
641 2015-03-10  Michael Catanzaro  <mcatanzaro@igalia.com>
642
643         GCC: CRASH() should be annotated with NORETURN
644         https://bugs.webkit.org/show_bug.cgi?id=142524
645
646         Reviewed by Anders Carlsson.
647
648         Don't return from a NORETURN function. This used to avoid a warning from GCC, but now it
649         causes one.
650
651         * jsc.cpp:
652
653 2015-03-10  Mark Lam  <mark.lam@apple.com>
654
655         Gardening: fix bleeding debug test bots.
656         https://webkit.org/b/142513>
657
658         Not reviewed.
659
660         The test needs to initialize WTF threading explicitly before using it.
661
662         * API/tests/CompareAndSwapTest.cpp:
663         (testCompareAndSwap):
664
665 2015-03-10  Alex Christensen  <achristensen@webkit.org>
666
667         [WinCairo] Unreviewed build fix.
668
669         * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props:
670         Added directory containing config.h, like r181304.
671
672 2015-03-09  Mark Lam  <mark.lam@apple.com>
673
674         Yet another build fix for Windows.
675         https://webkit.org/b/142513>
676
677         Reviewed by Alex Christensen.
678
679         Looks like MSVC requires the function be explicitly declared in a header file
680         in order for it to be linkable from another file in the same project.  This is
681         strange, but it seems to make MSVC happy.
682
683         Also fixed a typo in testapi.vcxproj.filters.
684
685         * API/tests/CompareAndSwapTest.cpp:
686         * API/tests/CompareAndSwapTest.h: Added.
687         * API/tests/testapi.c:
688         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
689         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
690         * JavaScriptCore.xcodeproj/project.pbxproj:
691
692 2015-03-09  Chris Dumez  <cdumez@apple.com>
693
694         [iOS] Sweep all collected objects on critical memory pressure
695         https://bugs.webkit.org/show_bug.cgi?id=142457
696         <rdar://problem/20044440>
697
698         Reviewed by Geoffrey Garen.
699
700         All fullSweep() API to IncrementalSweeper so that we can call it in the
701         memory pressure handler.
702
703         * heap/IncrementalSweeper.cpp:
704         (JSC::IncrementalSweeper::fullSweep):
705         * heap/IncrementalSweeper.h:
706         (JSC::IncrementalSweeper::hasWork):
707
708 2015-03-09  Mark Lam  <mark.lam@apple.com>
709
710         Another build fix for Windows.
711         https://webkit.org/b/142513>
712
713         Not reviewed.
714
715         * API/tests/CompareAndSwapTest.cpp:
716         - Added JS_EXPORT_PRIVATE attribute.
717
718 2015-03-09  Mark Lam  <mark.lam@apple.com>
719
720         Build fix for Windows after r181305.
721         https://webkit.org/b/142513>
722
723         Reviewed by Alex Christensen.
724
725         Windows doesn't like pthreads anymore.  Changed test to use WTF threading.
726
727         * API/tests/CompareAndSwapTest.cpp:
728         (setBitThreadFunc):
729         (testCompareAndSwap):
730
731 2015-03-09  Mark Lam  <mark.lam@apple.com>
732
733         8-bit version of weakCompareAndSwap() can cause an infinite loop.
734         https://webkit.org/b/142513>
735
736         Reviewed by Filip Pizlo.
737
738         Added a test that exercises the 8-bit CAS from multiple threads.  The threads
739         will contend to set bits in a large array of bytes using the CAS function.
740
741         * API/tests/CompareAndSwapTest.cpp: Added.
742         (Bitmap::Bitmap):
743         (Bitmap::numBits):
744         (Bitmap::clearAll):
745         (Bitmap::concurrentTestAndSet):
746         (setBitThreadFunc):
747         (testCompareAndSwap):
748         * API/tests/testapi.c:
749         (main):
750         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
751         * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
752         * JavaScriptCore.xcodeproj/project.pbxproj:
753
754 2015-03-09  Brent Fulgham  <bfulgham@apple.com>
755
756         [Win] testapi project is unable to find the 'config.h' file.
757
758         Rubberstamped by Mark Lam.
759
760         * JavaScriptCore.vcxproj/testapi/testapiCommon.props: Add JavaScriptCore source directory
761         to the include path.
762
763 2015-03-09  Andreas Kling  <akling@apple.com>
764
765         Stale entries in WeakGCMaps are keeping tons of WeakBlocks alive unnecessarily.
766         <https://webkit.org/b/142115>
767         <rdar://problem/19992268>
768
769         Reviewed by Geoffrey Garen.
770
771         Prune stale entries from WeakGCMaps as part of every full garbage collection.
772         This frees up tons of previously-stuck WeakBlocks that were only sitting around
773         with finalized handles waiting to die.
774
775         Note that WeakGCMaps register/unregister themselves with the GC heap in their
776         ctor/dtor, so creating one now requires passing the VM.
777
778         Average time spent in the PruningStaleEntriesFromWeakGCMaps GC phase appears
779         to be between 0.01ms and 0.3ms, though I've seen a few longer ones at ~1.2ms.
780         It seems somewhat excessive to do this on every Eden collection, so it's only
781         doing work in full collections for now.
782
783         Because the GC may now mutate WeakGCMap below object allocation, I've made it
784         so that the classic HashMap::add() optimization can't be used with WeakGCMap.
785         This caused intermittent test failures when originally landed due to having
786         an invalid iterator on the stack after add() inserted a new entry and we
787         proceeded to allocate the new object, triggering GC.
788
789         * API/JSWeakObjectMapRefInternal.h:
790         (OpaqueJSWeakObjectMap::create):
791         (OpaqueJSWeakObjectMap::OpaqueJSWeakObjectMap):
792         * API/JSWeakObjectMapRefPrivate.cpp:
793         * API/JSWrapperMap.mm:
794         (-[JSWrapperMap initWithContext:]):
795         (-[JSWrapperMap jsWrapperForObject:]): Pass VM to WeakGCMap constructor.
796
797         * JavaScriptCore.xcodeproj/project.pbxproj: Add WeakGCMapInlines.h and make
798         it project-private so WebCore clients can access it.
799
800         * heap/Heap.cpp:
801         (JSC::Heap::collect):
802         (JSC::Heap::pruneStaleEntriesFromWeakGCMaps): Added a new GC phase for pruning
803         stale entries from WeakGCMaps. This is only executed during full collections.
804
805         * heap/Heap.h:
806         * heap/HeapInlines.h:
807         (JSC::Heap::registerWeakGCMap):
808         (JSC::Heap::unregisterWeakGCMap): Added a mechanism for WeakGCMaps to register
809         themselves with the Heap and provide a pruning callback.
810
811         * runtime/PrototypeMap.h:
812         (JSC::PrototypeMap::PrototypeMap):
813         * runtime/Structure.cpp:
814         (JSC::StructureTransitionTable::add): Pass VM to WeakGCMap constructor.
815
816         * runtime/JSCInlines.h: Add "WeakGCMapInlines.h"
817
818         * runtime/JSGlobalObject.cpp: Include "WeakGCMapInlines.h" so this builds.
819
820         * runtime/JSString.cpp:
821         (JSC::jsStringWithCacheSlowCase):
822         * runtime/PrototypeMap.cpp:
823         (JSC::PrototypeMap::addPrototype):
824         (JSC::PrototypeMap::emptyObjectStructureForPrototype): Remove HashMap add()
825         optimization since it's not safe in the GC-managed WeakGCMap world.
826
827         * runtime/VM.cpp:
828         (JSC::VM::VM): Pass VM to WeakGCMap constructor.
829
830         * runtime/WeakGCMap.h:
831         (JSC::WeakGCMap::set):
832         (JSC::WeakGCMap::add):
833         (JSC::WeakGCMap::WeakGCMap): Deleted.
834         (JSC::WeakGCMap::gcMap): Deleted.
835         (JSC::WeakGCMap::gcMapIfNeeded): Deleted.
836         * runtime/WeakGCMapInlines.h: Added.
837         (JSC::WeakGCMap::WeakGCMap):
838         (JSC::WeakGCMap::~WeakGCMap):
839         (JSC::WeakGCMap::pruneStaleEntries): Moved ctor, dtor and pruning callback
840         to WeakGCMapInlines.h to fix interdependent header issues. Removed code that
841         prunes WeakGCMap at certain growth milestones and instead rely on the GC
842         callback for housekeeping.
843
844 2015-03-09  Ryosuke Niwa  <rniwa@webkit.org>
845
846         Support extends and super keywords
847         https://bugs.webkit.org/show_bug.cgi?id=142200
848
849         Reviewed by Filip Pizlo.
850
851         Added the support for ES6 class syntax inheritance.
852
853         Added ConstructorKind as well as boolean flags indicating the constructor kind to
854         various classes in UnlinkedCodeBlock as well as AST nodes.
855
856         Each method stores the associated class as its homeObjectPrivateName. This value is used to
857         make super calls.
858
859         * bytecode/UnlinkedCodeBlock.cpp:
860         (JSC::generateFunctionCodeBlock):
861         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
862         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
863
864         * bytecode/UnlinkedCodeBlock.h:
865         (JSC::ExecutableInfo::ExecutableInfo):
866         (JSC::UnlinkedFunctionExecutable::constructorKindIsDerived): Added.
867         (JSC::UnlinkedCodeBlock::constructorKindIsDerived): Added.
868
869         * bytecompiler/BytecodeGenerator.cpp:
870         (JSC::BytecodeGenerator::BytecodeGenerator): Don't emit op_create_this in a derived class
871         as the object is allocated by the highest base class's constructor. Also set "this" to null
872         and store the original value in m_newTargetRegister. "this" is supposed to be in TDZ but
873         that will be implemented in a separate patch.
874         (JSC::BytecodeGenerator::emitReturn): Allow "undefined" to be returned from a derived class.
875         In a derived class's constructor, not returning "undefined" or an object results in a type
876         error instead of "this" being returned.
877         (JSC::BytecodeGenerator::emitThrowTypeError): Added.
878
879         * bytecompiler/BytecodeGenerator.h:
880         (JSC::BytecodeGenerator::constructorKindIsDerived): Added.
881         (JSC::BytecodeGenerator::newTarget): Added.
882
883         * bytecompiler/NodesCodegen.cpp:
884         (JSC::SuperNode::emitBytecode): Added. Emits the code to obtain the callee's parent class.
885         (JSC::emitSuperBaseForCallee): Added. Emits the code to obtain the parent class's prototype.
886         (JSC::emitPutHomeObject): Added.
887         (JSC::PropertyListNode::emitBytecode): Stores the home object when adding methods.
888         (JSC::PropertyListNode::emitPutConstantProperty): Ditto.
889         (JSC::BracketAccessorNode::emitBytecode): Added the support for super['foo'].
890         (JSC::DotAccessorNode::emitBytecode): Added the support for super.foo.
891         (JSC::FunctionCallValueNode::emitBytecode): Added the support for super().
892         (JSC::FunctionCallBracketNode::emitBytecode): Added the support for super['foo']().
893         (JSC::FunctionCallDotNode::emitBytecode): Added the support for super.foo().
894         (JSC::DeleteBracketNode::emitBytecode): Forbid "delete super.foo".
895         (JSC::DeleteDotNode::emitBytecode): Forbid "delete super['foo']".
896         (JSC::ClassExprNode::emitBytecode): Added the support for "classHeritage". This is the main
897         logic for inheritance. When a class B inherits from a class A, set B.__proto__ to A and set
898         B.prototype.__proto__ to A.prototype. Throw exceptions when either A or A.__proto__ is not
899         an object.
900
901         * parser/ASTBuilder.h:
902         (JSC::ASTBuilder::superExpr): Added.
903
904         * parser/NodeConstructors.h:
905         (JSC::SuperNode::SuperNode): Added.
906
907         * parser/Nodes.cpp:
908         (JSC::FunctionBodyNode::FunctionBodyNode):
909
910         * parser/Nodes.h:
911         (JSC::ExpressionNode::isSuperNode):
912         (JSC::PropertyNode::type):
913         (JSC::PropertyNode::needsSuperBinding):
914
915         * parser/Parser.cpp:
916         (JSC::Parser<LexerType>::parseFunctionBody):
917         (JSC::Parser<LexerType>::parseFunctionInfo): Throw a parser error if super() is used outside
918         of class constructors.
919         (JSC::Parser<LexerType>::parseFunctionDeclaration):
920         (JSC::Parser<LexerType>::parseClass): ConstructorKind is "derived" if and only if the parent
921         class is specified in the declaration / expression.
922         (JSC::Parser<LexerType>::parseGetterSetter):
923         (JSC::Parser<LexerType>::parsePrimaryExpression):
924         (JSC::Parser<LexerType>::parseMemberExpression): Added the support for "super()", "super.foo",
925         and "super['foo']". Throw a semantic error if "super" appears by itself.
926
927         * parser/Parser.h:
928         (JSC::Scope::Scope): Added m_hasDirectSuper. This variable keeps track of the use of "super()"
929         so that parseFunctionInfo can spit an error if it's used outside of class constructors.
930         (JSC::Scope::hasDirectSuper): Added.
931         (JSC::Scope::setHasDirectSuper): Added.
932
933         * parser/ParserModes.h:
934         (JSC::ConstructorKind): Added.
935
936         * parser/SyntaxChecker.h:
937         (JSC::SyntaxChecker::superExpr): Added.
938
939         * runtime/CommonIdentifiers.h: Added homeObjectPrivateName.
940
941         * runtime/Executable.h:
942         (JSC::EvalExecutable::executableInfo): 
943         (JSC::ProgramExecutable::executableInfo):
944
945 2015-03-08  Andreas Kling  <akling@apple.com>
946
947         JITThunks keeps finalized Weaks around, pinning WeakBlocks.
948         <https://webkit.org/b/142454>
949
950         Reviewed by Darin Adler.
951
952         Make JITThunks a WeakHandleOwner so it can keep its host function map free of stale entries.
953         This fixes an issue I was seeing where a bunch of WeakBlocks stuck around with nothing but
954         finalized Weak<NativeExecutable> entries.
955
956         * jit/JITThunks.h:
957         * jit/JITThunks.cpp:
958         (JSC::JITThunks::finalize): Make JITThunks inherit from WeakHandleOwner so it can receive
959         a callback when the NativeExecutables get garbage collected.
960
961         (JSC::JITThunks::hostFunctionStub): Pass 'this' as the handle owner when creating Weaks.
962
963 2015-03-08  Andreas Kling  <akling@apple.com>
964
965         BuiltinExecutables keeps finalized Weaks around, pinning WeakBlocks.
966         <https://webkit.org/b/142460>
967
968         Reviewed by Geoffrey Garen.
969
970         Make BuiltinExecutables a WeakHandleOwner so it can clear out its respective Weak members
971         if and when their pointees get garbage collected.
972
973         This fixes an issue I've seen locally where a WeakBlock is pinned down by a single one of
974         these Weak<BuiltinExecutables>.
975
976         * builtins/BuiltinExecutables.h: Make BuiltinExecutables inherit from WeakHandleOwner.
977
978         * builtins/BuiltinExecutables.cpp:
979         (JSC::BuiltinExecutables::finalize): Clear out the relevant member pointer when it's been
980         garbage collected. We use the WeakImpl's "context" field to pass the address of the member.
981
982 2015-03-07  Geoffrey Garen  <ggaren@apple.com>
983
984         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
985         https://bugs.webkit.org/show_bug.cgi?id=140900
986
987         Reviewed by Mark Hahnenberg.
988
989         Re-landing just the removal of BlockAllocator, which is now unused.
990
991         * API/JSBase.cpp:
992         * CMakeLists.txt:
993         * JavaScriptCore.order:
994         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
995         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
996         * JavaScriptCore.xcodeproj/project.pbxproj:
997         * heap/BlockAllocator.cpp: Removed.
998         * heap/BlockAllocator.h: Removed.
999         * heap/GCThreadSharedData.h:
1000         * heap/HandleBlockInlines.h:
1001         * heap/Heap.cpp:
1002         (JSC::Heap::Heap):
1003         * heap/Heap.h:
1004         * heap/HeapInlines.h:
1005         (JSC::Heap::blockAllocator): Deleted.
1006         * heap/HeapTimer.cpp:
1007         * heap/MarkedBlock.h:
1008         * heap/MarkedSpace.h:
1009         * heap/Region.h: Removed.
1010         * heap/SuperRegion.cpp: Removed.
1011         * heap/SuperRegion.h: Removed.
1012
1013 2015-03-07  Commit Queue  <commit-queue@webkit.org>
1014
1015         Unreviewed, rolling out r181010.
1016         https://bugs.webkit.org/show_bug.cgi?id=142442
1017
1018         Broke media/video-src-invalid-poster.html (Requested by kling
1019         on #webkit).
1020
1021         Reverted changeset:
1022
1023         "Stale entries in WeakGCMaps are keeping tons of WeakBlocks
1024         alive unnecessarily."
1025         https://bugs.webkit.org/show_bug.cgi?id=142115
1026         http://trac.webkit.org/changeset/181010
1027
1028 2015-03-07  Ryosuke Niwa  <rniwa@webkit.org>
1029
1030         The code to link FunctionExecutable is duplicated everywhere
1031         https://bugs.webkit.org/show_bug.cgi?id=142436
1032
1033         Reviewed by Darin Adler.
1034
1035         Reduced code duplication by factoring out linkInsideExecutable and linkGlobalCode.
1036
1037         * bytecode/CodeBlock.cpp:
1038         (JSC::CodeBlock::CodeBlock): Calls linkInsideExecutable.
1039
1040         * bytecode/UnlinkedCodeBlock.cpp:
1041         (JSC::UnlinkedFunctionExecutable::linkInsideExecutable): Renamed from link. Now takes care of startOffset.
1042         This change was needed to use this function in CodeBlock::CodeBlock. Also, this function no longer takes
1043         lineOffset since this information is already stored in the source code.
1044         (JSC::UnlinkedFunctionExecutable::linkGlobalCode): Extracted from FunctionExecutable::fromGlobalCode.
1045
1046         * bytecode/UnlinkedCodeBlock.h:
1047
1048         * generate-js-builtins: Calls linkGlobalCode.
1049
1050         * runtime/Executable.cpp:
1051         (JSC::ProgramExecutable::initializeGlobalProperties): Calls linkGlobalCode.
1052         (JSC::FunctionExecutable::fromGlobalCode): Calls linkGlobalCode.
1053
1054 2015-03-06  Geoffrey Garen  <ggaren@apple.com>
1055
1056         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
1057         https://bugs.webkit.org/show_bug.cgi?id=140900
1058
1059         Reviewed by Mark Hahnenberg.
1060
1061         Re-landing just the MarkedBlock piece of this patch.
1062
1063         * heap/MarkedAllocator.cpp:
1064         (JSC::MarkedAllocator::allocateBlock):
1065         * heap/MarkedBlock.cpp:
1066         (JSC::MarkedBlock::create):
1067         (JSC::MarkedBlock::destroy):
1068         (JSC::MarkedBlock::MarkedBlock):
1069         * heap/MarkedBlock.h:
1070         (JSC::MarkedBlock::capacity):
1071         * heap/MarkedSpace.cpp:
1072         (JSC::MarkedSpace::freeBlock):
1073
1074 2015-03-07  Ryosuke Niwa  <rniwa@webkit.org>
1075
1076         fromGlobalCode has an unused Debugger* argument
1077         https://bugs.webkit.org/show_bug.cgi?id=142430
1078
1079         Reviewed by Darin Adler.
1080
1081         Removed the debugger argument from UnlinkedFunctionExecutable::fromGlobalCode and
1082         FunctionExecutable::fromGlobalCode since it's not used in either function.
1083
1084         Also use reference in other arguments.
1085
1086         * bytecode/UnlinkedCodeBlock.cpp:
1087         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
1088         * bytecode/UnlinkedCodeBlock.h:
1089         * runtime/Executable.cpp:
1090         (JSC::FunctionExecutable::fromGlobalCode):
1091         * runtime/Executable.h:
1092         * runtime/FunctionConstructor.cpp:
1093         (JSC::constructFunctionSkippingEvalEnabledCheck):
1094
1095 2015-03-06  Brent Fulgham  <bfulgham@apple.com>
1096
1097         [Win] Turn off a warning on Windows.
1098
1099         Reduce build logging noise on Windows.
1100
1101         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
1102
1103 2015-03-06  Joseph Pecoraro  <pecoraro@apple.com>
1104
1105         Web Inspector: ES6: Improved Support for Iterator Objects
1106         https://bugs.webkit.org/show_bug.cgi?id=142420
1107
1108         Reviewed by Timothy Hatcher.
1109
1110         * inspector/protocol/Runtime.json:
1111         Add new object subtype "iterator" for built-in iterator objects.
1112
1113         * inspector/InjectedScriptSource.js:
1114         Return iterator values as Entry objects.
1115
1116         * inspector/JSInjectedScriptHost.cpp:
1117         (Inspector::JSInjectedScriptHost::subtype):
1118         Identify "iterator" typed objects.
1119
1120         (Inspector::JSInjectedScriptHost::getInternalProperties):
1121         Provide internal properties for the different Iterator objects.
1122
1123         (Inspector::JSInjectedScriptHost::iteratorEntries):
1124         Fetch the next few iterator entries of a built-in iterator object.
1125
1126         * inspector/JSInjectedScriptHost.h:
1127         * inspector/JSInjectedScriptHostPrototype.cpp:
1128         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
1129         (Inspector::jsInjectedScriptHostPrototypeFunctionIteratorEntries):
1130         Call through to JSInjectedScriptHost.
1131
1132         * runtime/JSArgumentsIterator.cpp:
1133         (JSC::JSArgumentsIterator::clone):
1134         * runtime/JSArgumentsIterator.h:
1135         (JSC::JSArgumentsIterator::iteratedValue):
1136         * runtime/JSArrayIterator.cpp:
1137         (JSC::JSArrayIterator::kind):
1138         (JSC::JSArrayIterator::iteratedValue):
1139         (JSC::JSArrayIterator::clone):
1140         * runtime/JSArrayIterator.h:
1141         * runtime/JSMapIterator.cpp:
1142         (JSC::JSMapIterator::finishCreation):
1143         (JSC::JSMapIterator::clone):
1144         * runtime/JSMapIterator.h:
1145         (JSC::JSMapIterator::kind):
1146         (JSC::JSMapIterator::iteratedValue):
1147         * runtime/JSSetIterator.cpp:
1148         (JSC::JSSetIterator::finishCreation):
1149         (JSC::JSSetIterator::clone):
1150         * runtime/JSSetIterator.h:
1151         (JSC::JSSetIterator::kind):
1152         (JSC::JSSetIterator::iteratedValue):
1153         * runtime/JSStringIterator.cpp:
1154         (JSC::JSStringIterator::iteratedValue):
1155         (JSC::JSStringIterator::clone):
1156         * runtime/JSStringIterator.h:
1157         Add accessors for internal properties and provide a way to clone the
1158         iterator so we can be at the same index and peek at the next few
1159         objects without modifying the original iterator object.
1160
1161 2015-03-06  Ryosuke Niwa  <rniwa@webkit.org>
1162
1163         REGRESSION(r180595): construct varargs fails in FTL
1164         https://bugs.webkit.org/show_bug.cgi?id=142030
1165
1166         Reviewed by Michael Saboff.
1167
1168         Increase sizeOfCallVarargs as done for sizeOfConstructVarargs in r180651.
1169
1170         * ftl/FTLInlineCacheSize.cpp:
1171         (JSC::FTL::sizeOfCallVarargs):
1172
1173 2015-03-06  Joseph Pecoraro  <pecoraro@apple.com>
1174
1175         Web Inspector: Adopt Object Literal Shorthand Property Construction Syntax
1176         https://bugs.webkit.org/show_bug.cgi?id=142374
1177
1178         Reviewed by Timothy Hatcher.
1179
1180         * inspector/InjectedScriptSource.js:
1181
1182 2015-03-06  Joseph Pecoraro  <pecoraro@apple.com>
1183
1184         ES6: Object Literal Extensions - Methods
1185         https://bugs.webkit.org/show_bug.cgi?id=142390
1186
1187         Reviewed by Geoffrey Garen.
1188
1189         Support method syntax in object literals.
1190
1191         * parser/Parser.h:
1192         * parser/Parser.cpp:
1193         (JSC::stringForFunctionMode):
1194         (JSC::Parser<LexerType>::parseProperty):
1195         Methods are allowed for identifier, string, and numeric names,
1196         and computed property names.
1197
1198         (JSC::Parser<LexerType>::parsePropertyMethod):
1199         Helper for parsing a property method.
1200
1201 2015-03-05  Joseph Pecoraro  <pecoraro@apple.com>
1202
1203         __proto__ shorthand property should not modify prototype in Object Literal construction
1204         https://bugs.webkit.org/show_bug.cgi?id=142382
1205
1206         Reviewed by Geoffrey Garen.
1207
1208         When parsing shorthand property syntax we know we will do a
1209         put direct, even if the property name is __proto__. Pass that
1210         information through to bytecode generation.
1211
1212         * bytecompiler/BytecodeGenerator.cpp:
1213         (JSC::BytecodeGenerator::emitDirectPutById):
1214         * bytecompiler/BytecodeGenerator.h:
1215         * bytecompiler/NodesCodegen.cpp:
1216         (JSC::PropertyListNode::emitPutConstantProperty):
1217         * parser/ASTBuilder.h:
1218         (JSC::ASTBuilder::createGetterOrSetterProperty):
1219         (JSC::ASTBuilder::createProperty):
1220         * parser/NodeConstructors.h:
1221         (JSC::PropertyNode::PropertyNode):
1222         * parser/Nodes.h:
1223         (JSC::PropertyNode::putType):
1224         * parser/Parser.cpp:
1225         (JSC::Parser<LexerType>::parseClass):
1226         (JSC::Parser<LexerType>::parseProperty):
1227         * parser/SyntaxChecker.h:
1228         (JSC::SyntaxChecker::createProperty):
1229
1230 2015-03-06  Geoffrey Garen  <ggaren@apple.com>
1231
1232         Fix crashes seen on the the 32-bit buildbots after my last patch.
1233
1234         Unreviewed.
1235
1236         * heap/CopiedBlock.h:
1237         (JSC::CopiedBlock::payload):
1238         * heap/CopiedSpace.cpp:
1239         (JSC::CopiedSpace::tryAllocateOversize): Round up to the right alignment,
1240         since the size of the CopiedBlock class is not guaranteed to be the
1241         right alignment, and is in fact the wrong alignment on 32-bit.
1242
1243 2015-03-05  Geoffrey Garen  <ggaren@apple.com>
1244
1245         Use FastMalloc (bmalloc) instead of BlockAllocator for GC pages
1246         https://bugs.webkit.org/show_bug.cgi?id=140900
1247
1248         Reviewed by Mark Hahnenberg.
1249
1250         Re-landing just the CopiedBlock piece of this patch.
1251
1252         * heap/CopiedBlock.h:
1253         (JSC::CopiedBlock::createNoZeroFill):
1254         (JSC::CopiedBlock::destroy):
1255         (JSC::CopiedBlock::create):
1256         (JSC::CopiedBlock::CopiedBlock):
1257         (JSC::CopiedBlock::isOversize):
1258         (JSC::CopiedBlock::payloadEnd):
1259         (JSC::CopiedBlock::capacity):
1260         * heap/CopiedSpace.cpp:
1261         (JSC::CopiedSpace::~CopiedSpace):
1262         (JSC::CopiedSpace::tryAllocateOversize):
1263         (JSC::CopiedSpace::tryReallocateOversize):
1264         * heap/CopiedSpaceInlines.h:
1265         (JSC::CopiedSpace::recycleEvacuatedBlock):
1266         (JSC::CopiedSpace::recycleBorrowedBlock):
1267         (JSC::CopiedSpace::allocateBlockForCopyingPhase):
1268         (JSC::CopiedSpace::allocateBlock):
1269         (JSC::CopiedSpace::startedCopying):
1270         * heap/CopyWorkList.h:
1271
1272 2015-03-06  Myles C. Maxfield  <mmaxfield@apple.com>
1273
1274         [iOS] SVG fonts are garbled
1275         https://bugs.webkit.org/show_bug.cgi?id=142377
1276
1277         Reviewed by Simon Fraser.
1278
1279         * Configurations/FeatureDefines.xcconfig:
1280
1281 2015-03-05  Joseph Pecoraro  <pecoraro@apple.com>
1282
1283         ES6: Object Literal Extensions - Shorthand Properties (Identifiers)
1284         https://bugs.webkit.org/show_bug.cgi?id=142353
1285
1286         Reviewed by Geoffrey Garen.
1287
1288         * parser/Parser.cpp:
1289         (JSC::Parser<LexerType>::parseProperty):
1290         Parsing an identifier property followed by a comma or end brace treat
1291         as a shorthand property and create a property that has the same
1292         property name as the identifier name and value of a variable with that
1293         identifier. Otherwise, fall through to getter/setter parsing.
1294
1295 2015-03-05  Brent Fulgham  <bfulgham@apple.com>
1296
1297         [Win] Unreviewed gardening.
1298
1299         Confirmed with JSC that warning 4611 (interaction between '_setjmp' and C++ object
1300         destruction is non-portable) should be ignored in the JavaScriptCore project.
1301
1302         * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Silence warning 4611.
1303
1304 2015-03-05  Chris Dumez  <cdumez@apple.com>
1305
1306         Regression(r173761): ASSERTION FAILED: !is8Bit() in StringImpl::characters16()
1307         https://bugs.webkit.org/show_bug.cgi?id=142350
1308
1309         Reviewed by Michael Saboff and Benjamin Poulain.
1310
1311         Call WTFString::hasInfixStartingAt() / hasInfixEndingAt() now that these
1312         methods have been renamed for clarity.
1313
1314         * runtime/StringPrototype.cpp:
1315         (JSC::stringProtoFuncStartsWith):
1316         (JSC::stringProtoFuncEndsWith):
1317
1318 2015-03-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1319
1320         Implement ES6 StringIterator
1321         https://bugs.webkit.org/show_bug.cgi?id=142080
1322
1323         Reviewed by Filip Pizlo.
1324
1325         This patch introduces ES6 String Iterator.
1326         It enumerates code points instead of elements in String.
1327         So surrogate pairs should be handled correctly.
1328
1329         * CMakeLists.txt:
1330         * DerivedSources.make:
1331         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1332         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1333         * JavaScriptCore.xcodeproj/project.pbxproj:
1334         * builtins/StringIterator.prototype.js: Added.
1335         (next):
1336         * runtime/CommonIdentifiers.h:
1337         * runtime/JSGlobalObject.cpp:
1338         * runtime/JSGlobalObject.h:
1339         * runtime/JSStringIterator.cpp: Added.
1340         (JSC::JSStringIterator::finishCreation):
1341         * runtime/JSStringIterator.h: Added.
1342         (JSC::JSStringIterator::createStructure):
1343         (JSC::JSStringIterator::create):
1344         (JSC::JSStringIterator::JSStringIterator):
1345         * runtime/StringIteratorConstructor.cpp: Added.
1346         (JSC::StringIteratorConstructor::finishCreation):
1347         * runtime/StringIteratorConstructor.h: Added.
1348         (JSC::StringIteratorConstructor::create):
1349         (JSC::StringIteratorConstructor::createStructure):
1350         (JSC::StringIteratorConstructor::StringIteratorConstructor):
1351         * runtime/StringIteratorPrototype.cpp: Added.
1352         (JSC::StringIteratorPrototype::finishCreation):
1353         (JSC::StringIteratorPrototype::getOwnPropertySlot):
1354         (JSC::stringIteratorPrototypeIterator):
1355         * runtime/StringIteratorPrototype.h: Added.
1356         (JSC::StringIteratorPrototype::create):
1357         (JSC::StringIteratorPrototype::createStructure):
1358         (JSC::StringIteratorPrototype::StringIteratorPrototype):
1359         * runtime/StringPrototype.cpp:
1360         (JSC::StringPrototype::finishCreation):
1361         (JSC::stringProtoFuncIterator):
1362         * tests/stress/string-iterators.js: Added.
1363         (testSurrogatePair):
1364         (increment):
1365         (for):
1366
1367 2015-03-05  Csaba Osztrogonác  <ossy@webkit.org>
1368
1369         [ARM] Fix the FTL build on Aarch64 Linux after r177421
1370         https://bugs.webkit.org/show_bug.cgi?id=142040
1371
1372         Reviewed by Mark Lam.
1373
1374         * llvm/library/LLVMExports.cpp:
1375         (initializeAndGetJSCLLVMAPI):
1376
1377 2015-03-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1378
1379         Upgrade ES6 Iterator interfaces
1380         https://bugs.webkit.org/show_bug.cgi?id=141351
1381
1382         Reviewed by Filip Pizlo.
1383
1384         This patch upgrades the exising ES6 iterator to align the latest spec.
1385         In the latest spec,
1386         1. `Iterator.next` returns object that implements IteratorResult interface { value: value, done, boolean }.
1387         2. `Iterator.return` is introduced. When the iteration is terminated by the abrupt completion,
1388         it is called to close iterator state.
1389         3. Iterator.next of Array is moved from an iterator object to `%ArrayIteratorPrototype%`.
1390
1391         To upgrade it, we changes the bytecode that represents for-of loops.
1392         And to embody the efficient iteration with an iterator object,
1393         we implemented %ArrayIteratorPrototype%.next in JavaScript and
1394         it is located in builtins/ArrayIterator.prototype.js.
1395         Implementing it in JavaScript encourages inlining and
1396         utilizes escape analysis for an iterator result object in DFG JIT.
1397         And we dropped the intrinsic version of %ArrayIteratorPrototype%.next.
1398
1399         And we introduced IteratorOperations that is defined in the spec.
1400         It aligns the iteration in the runtime to the latest spec.
1401         Currently, Promise.all and Promise.race uses an iterable object.
1402         However, Promise.all and Promise.race implementation is also based on the old spec.
1403         Subsequent patches will upgrade it.
1404
1405         * CMakeLists.txt:
1406         * DerivedSources.make:
1407         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1408         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
1409         * JavaScriptCore.xcodeproj/project.pbxproj:
1410         * builtins/ArrayIterator.prototype.js: Copied from Source/JavaScriptCore/runtime/ArrayIteratorPrototype.h.
1411         (next):
1412         * bytecompiler/BytecodeGenerator.cpp:
1413         (JSC::BytecodeGenerator::emitReturn):
1414         (JSC::BytecodeGenerator::emitThrowTypeError):
1415         (JSC::BytecodeGenerator::emitEnumeration):
1416         (JSC::BytecodeGenerator::emitIsObject):
1417         (JSC::BytecodeGenerator::emitIsUndefined):
1418         * bytecompiler/BytecodeGenerator.h:
1419         * jit/ThunkGenerators.cpp:
1420         (JSC::arrayIteratorNextThunkGenerator): Deleted.
1421         (JSC::arrayIteratorNextKeyThunkGenerator): Deleted.
1422         (JSC::arrayIteratorNextValueThunkGenerator): Deleted.
1423         * jit/ThunkGenerators.h:
1424         * runtime/ArgumentsIteratorPrototype.cpp:
1425         (JSC::ArgumentsIteratorPrototype::finishCreation):
1426         (JSC::argumentsIteratorPrototypeFuncNext):
1427         * runtime/ArrayIteratorPrototype.cpp:
1428         (JSC::ArrayIteratorPrototype::finishCreation):
1429         (JSC::ArrayIteratorPrototype::getOwnPropertySlot):
1430         (JSC::arrayIteratorProtoFuncIterator):
1431         (JSC::arrayIteratorPrototypeIterate): Deleted.
1432         * runtime/ArrayIteratorPrototype.h:
1433         * runtime/CommonIdentifiers.h:
1434         * runtime/Intrinsic.h:
1435         * runtime/IteratorOperations.cpp: Added.
1436         (JSC::iteratorNext):
1437         (JSC::iteratorValue):
1438         (JSC::iteratorComplete):
1439         (JSC::iteratorStep):
1440         (JSC::iteratorClose):
1441         (JSC::createIterResultObject):
1442         * runtime/IteratorOperations.h: Copied from Source/JavaScriptCore/runtime/ArrayIteratorPrototype.cpp.
1443         * runtime/JSArrayIterator.cpp:
1444         (JSC::JSArrayIterator::finishCreation):
1445         (JSC::JSArrayIterator::visitChildren): Deleted.
1446         (JSC::createIteratorResult): Deleted.
1447         (JSC::arrayIteratorNext): Deleted.
1448         (JSC::arrayIteratorNextKey): Deleted.
1449         (JSC::arrayIteratorNextValue): Deleted.
1450         (JSC::arrayIteratorNextGeneric): Deleted.
1451         * runtime/JSArrayIterator.h:
1452         (JSC::JSArrayIterator::JSArrayIterator):
1453         (JSC::JSArrayIterator::iterationKind): Deleted.
1454         (JSC::JSArrayIterator::iteratedObject): Deleted.
1455         (JSC::JSArrayIterator::nextIndex): Deleted.
1456         (JSC::JSArrayIterator::setNextIndex): Deleted.
1457         (JSC::JSArrayIterator::finish): Deleted.
1458         (JSC::JSArrayIterator::offsetOfIterationKind): Deleted.
1459         (JSC::JSArrayIterator::offsetOfIteratedObject): Deleted.
1460         (JSC::JSArrayIterator::offsetOfNextIndex): Deleted.
1461         * runtime/JSGlobalObject.cpp:
1462         (JSC::JSGlobalObject::init):
1463         * runtime/JSPromiseConstructor.cpp:
1464         (JSC::performPromiseRaceLoop):
1465         (JSC::JSPromiseConstructorFuncRace):
1466         (JSC::performPromiseAll):
1467         (JSC::JSPromiseConstructorFuncAll):
1468         * runtime/MapIteratorPrototype.cpp:
1469         (JSC::MapIteratorPrototype::finishCreation):
1470         (JSC::MapIteratorPrototypeFuncNext):
1471         * runtime/SetIteratorPrototype.cpp:
1472         (JSC::SetIteratorPrototype::finishCreation):
1473         (JSC::SetIteratorPrototypeFuncNext):
1474         * runtime/VM.cpp:
1475         (JSC::thunkGeneratorForIntrinsic):
1476         * tests/stress/array-iterators-next-with-call.js: Added.
1477         (increment):
1478         (for):
1479         * tests/stress/array-iterators-next.js: Added.
1480
1481         Revive the older Array iterator tests that manually call 'next' method.
1482
1483         * tests/stress/custom-iterators.js: Added.
1484         (iter.next):
1485         (iter.Symbol.iterator):
1486         (iter.return):
1487         (iter.get next):
1488         (iter.get return):
1489         (iteratorInterfaceErrorTest.iter.next):
1490         (iteratorInterfaceErrorTest.iter.Symbol.iterator):
1491         (iteratorInterfaceErrorTest.iter.return):
1492         (iteratorInterfaceErrorTest):
1493         (iteratorInterfaceErrorTestReturn.iter.next):
1494         (iteratorInterfaceErrorTestReturn.iter.Symbol.iterator):
1495         (iteratorInterfaceErrorTestReturn.iter.return):
1496         (iteratorInterfaceErrorTestReturn):
1497         (iteratorInterfaceBreakTestReturn.iter.next):
1498         (iteratorInterfaceBreakTestReturn.iter.Symbol.iterator):
1499         (iteratorInterfaceBreakTestReturn.iter.return):
1500         (iteratorInterfaceBreakTestReturn):
1501
1502         This tests the behavior of custom iterators.
1503         'next' and 'return' of iterator work with for-of.
1504
1505         * tests/stress/iterators-shape.js: Added.
1506         (iteratorShape):
1507         (sameNextMethods):
1508         (set var):
1509
1510         This tests the shape of iterators; iterators of Array have 'next' method in %ArrayIteratorPrototype%.
1511
1512         * tests/stress/map-iterators-next.js: Added.
1513         (set var):
1514         (.get if):
1515         (otherKey):
1516         * tests/stress/set-iterators-next.js: Added.
1517         (otherKey):
1518
1519 2015-03-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1520
1521         Hide Promise with runtime flags under Cocoa JSContext API
1522         https://bugs.webkit.org/show_bug.cgi?id=141965
1523
1524         Reviewed by Filip Pizlo.
1525
1526         Since there's no run loop in JavaScriptCore APIs, Promises don't work currently.
1527         So until they work, we hide Promise from a global object.
1528         Introduce new JSC runtime flag, PromiseDisabled. When `isPromiseDisabled` is true,
1529         Promise constructor is not attached to JSGlobalObject.
1530
1531         To make 0 as default runtime flags, we choose PromiseDisabled flag
1532         instead of PromiseEnabled flag. So by default, Promise is enabled.
1533
1534         * API/JSCallbackObjectFunctions.h:
1535         (JSC::JSCallbackObject<Parent>::JSCallbackObject):
1536         * API/JSContextRef.cpp:
1537         (javaScriptRuntimeFlags):
1538         (JSGlobalContextCreateInGroup):
1539         * API/tests/testapi.c:
1540         (main):
1541         * API/tests/testapi.mm:
1542         (testObjectiveCAPI):
1543         * runtime/JSGlobalObject.cpp:
1544         (JSC::JSGlobalObject::init):
1545         * runtime/JSGlobalObject.h:
1546         (JSC::JSGlobalObject::create):
1547         * runtime/RuntimeFlags.h:
1548         (JSC::RuntimeFlags::createAllEnabled):
1549
1550 2015-03-04  Joseph Pecoraro  <pecoraro@apple.com>
1551
1552         Web Inspector: Array/Collection Sizes should be visible and distinct
1553         https://bugs.webkit.org/show_bug.cgi?id=142254
1554
1555         Reviewed by Timothy Hatcher.
1556
1557         * runtime/WeakMapData.h:
1558         (JSC::WeakMapData::size):
1559         * inspector/JSInjectedScriptHost.cpp:
1560         (Inspector::JSInjectedScriptHost::weakMapSize):
1561         * inspector/JSInjectedScriptHost.h:
1562         * inspector/JSInjectedScriptHostPrototype.cpp:
1563         (Inspector::JSInjectedScriptHostPrototype::finishCreation):
1564         (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapSize):
1565         Add a way to get a WeakMap's size.
1566
1567         * inspector/protocol/Runtime.json:
1568         Include size in RemoteObject and ObjectPreview.
1569
1570         * inspector/InjectedScriptSource.js:
1571         Set the size of RemoteObjects and previews if they
1572         are array/collection types.
1573
1574 2015-03-04  Andreas Kling  <akling@apple.com>
1575
1576         GC should compute stack bounds and dump registers at the earliest opportunity.
1577         <https://webkit.org/b/142310>
1578         <rdar://problem/20045624>
1579
1580         Reviewed by Geoffrey Garen.
1581
1582         Make Heap::collect() a wrapper function around a collectImpl() where the work is actually done.
1583         The wrapper function that grabs a snapshot of the current stack boundaries and register values
1584         on entry, and sanitizes the stack on exit.
1585
1586         This is a speculative fix for what appears to be overly conservative behavior in the garbage
1587         collector following r178364 which caused a measurable regression in memory usage on Membuster.
1588         The theory being that we were putting pointers to dead things on the stack before scanning it,
1589         and by doing that ended up marking things that we'd otherwise discover to be garbage.
1590
1591         * heap/Heap.cpp:
1592         (JSC::Heap::markRoots):
1593         (JSC::Heap::gatherStackRoots):
1594         (JSC::Heap::collect):
1595         (JSC::Heap::collectImpl):
1596         * heap/Heap.h:
1597         * heap/MachineStackMarker.cpp:
1598         (JSC::MachineThreads::gatherFromCurrentThread):
1599         (JSC::MachineThreads::gatherConservativeRoots):
1600         * heap/MachineStackMarker.h:
1601
1602 2015-03-04  Debarshi Ray  <debarshir@gnome.org>
1603
1604         Silence GCC's -Wstrict-prototypes
1605         https://bugs.webkit.org/show_bug.cgi?id=142278
1606
1607         Reviewed by Alexey Proskuryakov.
1608
1609         * API/JSContextRef.h:
1610
1611 2015-03-04  Benjamin Poulain  <bpoulain@apple.com>
1612
1613         [JSC] Add a node for Math.log()
1614         https://bugs.webkit.org/show_bug.cgi?id=142126
1615
1616         Reviewed by Geoffrey Garen.
1617
1618         This patch adds the DFG node ArithLog for LogIntrinsic.
1619
1620         Having a direct call to log has very little value by itself, the implementation
1621         in DFG and FTL is a simple function call.
1622
1623         What is useful in ArithLog is that we know the operation is pure.
1624         This allow us to hoist it out of loops when the argument is independent
1625         is an invariant of the loop.
1626
1627         Perf wise, this patch gives:
1628         -Kraken's imaging-darkroom: definitely 1.2372x faster.
1629         -AsmBench's Towers.c: definitely 1.0261x faster.
1630
1631         * dfg/DFGAbstractInterpreterInlines.h:
1632         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1633         * dfg/DFGByteCodeParser.cpp:
1634         (JSC::DFG::ByteCodeParser::handleIntrinsic):
1635         * dfg/DFGClobberize.h:
1636         (JSC::DFG::clobberize):
1637         * dfg/DFGDoesGC.cpp:
1638         (JSC::DFG::doesGC):
1639         * dfg/DFGFixupPhase.cpp:
1640         (JSC::DFG::FixupPhase::fixupNode):
1641         * dfg/DFGNodeType.h:
1642         * dfg/DFGPredictionPropagationPhase.cpp:
1643         (JSC::DFG::PredictionPropagationPhase::propagate):
1644         (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
1645         * dfg/DFGSafeToExecute.h:
1646         (JSC::DFG::safeToExecute):
1647         * dfg/DFGSpeculativeJIT.cpp:
1648         (JSC::DFG::SpeculativeJIT::compileArithLog):
1649         * dfg/DFGSpeculativeJIT.h:
1650         * dfg/DFGSpeculativeJIT32_64.cpp:
1651         (JSC::DFG::SpeculativeJIT::compile):
1652         * dfg/DFGSpeculativeJIT64.cpp:
1653         (JSC::DFG::SpeculativeJIT::compile):
1654         * ftl/FTLCapabilities.cpp:
1655         (JSC::FTL::canCompile):
1656         * ftl/FTLIntrinsicRepository.h:
1657         * ftl/FTLLowerDFGToLLVM.cpp:
1658         (JSC::FTL::LowerDFGToLLVM::compileNode):
1659         (JSC::FTL::LowerDFGToLLVM::compileArithLog):
1660         * ftl/FTLOutput.h:
1661         (JSC::FTL::Output::doubleLog):
1662         * tests/stress/math-log-basics.js: Added.
1663         * tests/stress/math-log-with-constants.js: Added.
1664
1665 2015-03-04  Filip Pizlo  <fpizlo@apple.com>
1666
1667         Only Heap should be in charge of deciding how to select a subspace for a type
1668         https://bugs.webkit.org/show_bug.cgi?id=142304
1669
1670         Reviewed by Mark Lam.
1671         
1672         This slightly reduces the code duplication for selecting subspace based on type, and what
1673         duplication is left is at least localized in HeapInlines.h. The immediate effect is that
1674         the DFG and FTL don't have to duplicate this pattern.
1675
1676         * dfg/DFGSpeculativeJIT.h:
1677         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1678         (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject):
1679         * ftl/FTLLowerDFGToLLVM.cpp:
1680         (JSC::FTL::LowerDFGToLLVM::allocateObject):
1681         * heap/Heap.h:
1682         * heap/HeapInlines.h:
1683         (JSC::Heap::allocateObjectOfType):
1684         (JSC::Heap::subspaceForObjectOfType):
1685         (JSC::Heap::allocatorForObjectOfType):
1686         * runtime/JSCellInlines.h:
1687         (JSC::allocateCell):
1688
1689 2015-03-04  Andreas Kling  <akling@apple.com>
1690
1691         Stale entries in WeakGCMaps are keeping tons of WeakBlocks alive unnecessarily.
1692         <https://webkit.org/b/142115>
1693         <rdar://problem/19992268>
1694
1695         Reviewed by Geoffrey Garen.
1696
1697         Prune stale entries from WeakGCMaps as part of every full garbage collection.
1698         This frees up tons of previously-stuck WeakBlocks that were only sitting around
1699         with finalized handles waiting to die.
1700
1701         Note that WeakGCMaps register/unregister themselves with the GC heap in their
1702         ctor/dtor, so creating one now requires passing the VM.
1703
1704         Average time spent in the PruningStaleEntriesFromWeakGCMaps GC phase appears
1705         to be between 0.01ms and 0.3ms, though I've seen a few longer ones at ~1.2ms.
1706         It seems somewhat excessive to do this on every Eden collection, so it's only
1707         doing work in full collections for now.
1708
1709         * API/JSWeakObjectMapRefInternal.h:
1710         (OpaqueJSWeakObjectMap::create):
1711         (OpaqueJSWeakObjectMap::OpaqueJSWeakObjectMap):
1712         * API/JSWeakObjectMapRefPrivate.cpp:
1713         * API/JSWrapperMap.mm:
1714         (-[JSWrapperMap initWithContext:]):
1715         (-[JSWrapperMap jsWrapperForObject:]): Pass VM to WeakGCMap constructor.
1716
1717         * JavaScriptCore.xcodeproj/project.pbxproj: Add WeakGCMapInlines.h and make
1718         it project-private so WebCore clients can access it.
1719
1720         * heap/Heap.cpp:
1721         (JSC::Heap::collect):
1722         (JSC::Heap::pruneStaleEntriesFromWeakGCMaps): Added a new GC phase for pruning
1723         stale entries from WeakGCMaps. This is only executed during full collections.
1724
1725         * heap/Heap.h:
1726         * heap/HeapInlines.h:
1727         (JSC::Heap::registerWeakGCMap):
1728         (JSC::Heap::unregisterWeakGCMap): Added a mechanism for WeakGCMaps to register
1729         themselves with the Heap and provide a pruning callback.
1730
1731         * runtime/PrototypeMap.h:
1732         (JSC::PrototypeMap::PrototypeMap):
1733         * runtime/Structure.cpp:
1734         (JSC::StructureTransitionTable::add): Pass VM to WeakGCMap constructor.
1735
1736         * runtime/JSCInlines.h: Add "WeakGCMapInlines.h"
1737
1738         * runtime/JSGlobalObject.cpp: Include "WeakGCMapInlines.h" so this builds.
1739
1740         * runtime/VM.cpp:
1741         (JSC::VM::VM): Pass VM to WeakGCMap constructor.
1742
1743         * runtime/WeakGCMap.h:
1744         (JSC::WeakGCMap::set):
1745         (JSC::WeakGCMap::add):
1746         (JSC::WeakGCMap::WeakGCMap): Deleted.
1747         (JSC::WeakGCMap::gcMap): Deleted.
1748         (JSC::WeakGCMap::gcMapIfNeeded): Deleted.
1749         * runtime/WeakGCMapInlines.h: Added.
1750         (JSC::WeakGCMap::WeakGCMap):
1751         (JSC::WeakGCMap::~WeakGCMap):
1752         (JSC::WeakGCMap::pruneStaleEntries): Moved ctor, dtor and pruning callback
1753         to WeakGCMapInlines.h to fix interdependent header issues. Removed code that
1754         prunes WeakGCMap at certain growth milestones and instead rely on the GC
1755         callback for housekeeping.
1756
1757 2015-03-03  Filip Pizlo  <fpizlo@apple.com>
1758
1759         DFG IR should refer to FunctionExecutables directly and not via the CodeBlock
1760         https://bugs.webkit.org/show_bug.cgi?id=142229
1761
1762         Reviewed by Mark Lam and Benjamin Poulain.
1763         
1764         Anytime a DFG IR node refers to something in CodeBlock, it has three effects:
1765
1766         - Cumbersome API for accessing the thing that the node refers to.
1767         
1768         - Not obvious how to create a new such node after bytecode parsing, especially if the
1769           thing it refers to isn't already in the CodeBlock. We have done this in the past, but
1770           it usually involves subtle changes to CodeBlock.
1771         
1772         - Not obvious how to inline code that ends up using such nodes. Again, when we have done
1773           this, it involved subtle changes to CodeBlock.
1774         
1775         Prior to this change, the NewFunction* node types used an index into tables in CodeBlock.
1776         For this reason, those operations were not inlineable. But the functin tables in CodeBlock
1777         just point to FunctionExecutables, which are cells; this means that we can just abstract
1778         these operands in DFG IR as cellOperands. cellOperands use DFG::FrozenValue, which means
1779         that GC registration happens automagically. Even better, our dumping for cellOperand
1780         already did FunctionExecutable dumping - so that functionality gets to be deduplicated.
1781         
1782         Because this change increases the number of users of cellOperand, it also adds some
1783         convenience methods for using it. For example, whereas before you'd say things like:
1784         
1785             jsCast<Foo*>(node->cellOperand()->value())
1786         
1787         you can now just say:
1788         
1789             node->castOperand<Foo*>()
1790         
1791         This change also changes existing cellOperand users to use the new conveniance API when
1792         applicable.
1793
1794         * bytecode/CodeBlock.cpp:
1795         (JSC::CodeBlock::jettisonFunctionDeclsAndExprs):
1796         * bytecode/CodeBlock.h:
1797         * dfg/DFGByteCodeParser.cpp:
1798         (JSC::DFG::ByteCodeParser::parseBlock):
1799         * dfg/DFGCapabilities.cpp:
1800         (JSC::DFG::capabilityLevel):
1801         * dfg/DFGFrozenValue.h:
1802         (JSC::DFG::FrozenValue::cell):
1803         (JSC::DFG::FrozenValue::dynamicCast):
1804         (JSC::DFG::FrozenValue::cast):
1805         * dfg/DFGGraph.cpp:
1806         (JSC::DFG::Graph::dump):
1807         (JSC::DFG::Graph::registerFrozenValues):
1808         * dfg/DFGNode.h:
1809         (JSC::DFG::Node::hasCellOperand):
1810         (JSC::DFG::Node::castOperand):
1811         (JSC::DFG::Node::hasFunctionDeclIndex): Deleted.
1812         (JSC::DFG::Node::functionDeclIndex): Deleted.
1813         (JSC::DFG::Node::hasFunctionExprIndex): Deleted.
1814         (JSC::DFG::Node::functionExprIndex): Deleted.
1815         * dfg/DFGSpeculativeJIT.cpp:
1816         (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck):
1817         (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression):
1818         * dfg/DFGSpeculativeJIT32_64.cpp:
1819         (JSC::DFG::SpeculativeJIT::compile):
1820         * dfg/DFGSpeculativeJIT64.cpp:
1821         (JSC::DFG::SpeculativeJIT::compile):
1822         * dfg/DFGWatchpointCollectionPhase.cpp:
1823         (JSC::DFG::WatchpointCollectionPhase::handle):
1824         * ftl/FTLLowerDFGToLLVM.cpp:
1825         (JSC::FTL::LowerDFGToLLVM::compileCheckCell):
1826         (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
1827
1828 2015-03-03  Michael Saboff  <msaboff@apple.com>
1829
1830         DelayedReleaseScope drops locks during GC which can cause a thread switch and code reentry
1831         https://bugs.webkit.org/show_bug.cgi?id=141275
1832
1833         Reviewed by Geoffrey Garen.
1834
1835         The original issue is that the CodeCache uses an unsafe method to add new UnlinkedCodeBlocks.
1836         It basically adds a null UnlinkedCodeBlock if there isn't a cached entry and then later
1837         updates the null entry to the result of the compilation.  If during that compilation and
1838         related processing we need to garbage collect, the DelayedReleaseScope would drop locks
1839         possibly allowing another thread to try to get the same source out of the CodeCache.
1840         This second thread would find the null entry and crash.  The fix is to move the processing of
1841         DelayedReleaseScope to when we drop locks and not drop locks during GC.  That was done in
1842         the original patch with the new function releaseDelayedReleasedObjects().
1843
1844         Updated releaseDelayedReleasedObjects() so that objects are released with all locks
1845         dropped.  Now its processing follows these steps
1846             Increment recursion counter and do recursion check and exit if recursing
1847             While there are objects to release
1848                 ASSERT that lock is held by current thread
1849                 Take all items from delayed release Vector and put into temporary Vector
1850                 Release API lock
1851                 Release and clear items from temporary vector
1852                 Reaquire API lock
1853         This meets the requirement that we release while the API lock is released and it is
1854         safer processing of the delayed release Vector.
1855
1856         Added new regression test to testapi.
1857
1858         Also added comment describing how recursion into releaseDelayedReleasedObjects() is
1859         prevented.
1860
1861         * API/tests/Regress141275.h: Added.
1862         * API/tests/Regress141275.mm: Added.
1863         (+[JSTEvaluatorTask evaluatorTaskWithEvaluateBlock:completionHandler:]):
1864         (-[JSTEvaluator init]):
1865         (-[JSTEvaluator initWithScript:]):
1866         (-[JSTEvaluator _accessPendingTasksWithBlock:]):
1867         (-[JSTEvaluator insertSignPostWithCompletion:]):
1868         (-[JSTEvaluator evaluateScript:completion:]):
1869         (-[JSTEvaluator evaluateBlock:completion:]):
1870         (-[JSTEvaluator waitForTasksDoneAndReportResults]):
1871         (__JSTRunLoopSourceScheduleCallBack):
1872         (__JSTRunLoopSourcePerformCallBack):
1873         (__JSTRunLoopSourceCancelCallBack):
1874         (-[JSTEvaluator _jsThreadMain]):
1875         (-[JSTEvaluator _sourceScheduledOnRunLoop:]):
1876         (-[JSTEvaluator _setupEvaluatorThreadContextIfNeeded]):
1877         (-[JSTEvaluator _callCompletionHandler:ifNeededWithError:]):
1878         (-[JSTEvaluator _sourcePerform]):
1879         (-[JSTEvaluator _sourceCanceledOnRunLoop:]):
1880         (runRegress141275):
1881         * API/tests/testapi.mm:
1882         (testObjectiveCAPI):
1883         * JavaScriptCore.xcodeproj/project.pbxproj:
1884         * heap/Heap.cpp:
1885         (JSC::Heap::releaseDelayedReleasedObjects):
1886         * runtime/JSLock.cpp:
1887         (JSC::JSLock::unlock):
1888
1889 2015-03-03  Filip Pizlo  <fpizlo@apple.com>
1890
1891         DFG should constant fold GetScope, and accesses to the scope register in the ByteCodeParser should not pretend that it's a constant as that breaks OSR exit liveness tracking
1892         https://bugs.webkit.org/show_bug.cgi?id=106202
1893
1894         Rubber stamped by Benjamin Poulain.
1895         
1896         This fixes a bug discovered by working on https://bugs.webkit.org/show_bug.cgi?id=142229,
1897         which was in turn discovered by working on https://bugs.webkit.org/show_bug.cgi?id=141174.
1898         Our way of dealing with scopes known to be constant is very sketchy, and only really works
1899         when a function is inlined. When it is, we pretend that every load of the scopeRegister sees
1900         a constant. But this breaks the DFG's tracking of the liveness of the scopeRegister. The way
1901         this worked made us miss oppportunities for optimizing based on a constant scope, and it also
1902         meant that in some cases - particularly like when we inline code that uses NewFuction and
1903         friends, as I do in bug 142229 - it makes OSR exit think that the scope is dead even though
1904         it's most definitely alive and it's a constant.
1905         
1906         The problem here is that we were doing too many optimizations in the ByteCodeParser, and not
1907         later. Later optimization phases know how to preserve OSR exit liveness. They're actually
1908         really good at it. Also, later phases know how to infer that any variable is a constant no
1909         matter how that constant arose - rather than the inlining-specific thing in ByteCodeParser.
1910         
1911         This changes the ByteCodeParser to largely avoid doing constant folding on the scope, except
1912         making the GetScope operation itself a constant. This is a compilation-time hack for small
1913         functions, and it doesn't break the loads of local variables - so OSR exit liveness still
1914         sees that the scopeRegister is in use. This then adds a vastly more powerful GetScope and
1915         GetClosureVar constant folder in the AbstractInterpreter. This handles most general cases
1916         including those that arise in complex control flow. This will catch cases where the scope
1917         is constant for any number of reasons. Basically anytime that the callee is inferred constant
1918         this will give us a constant scope. Also, we still have the parse-time constant folding of
1919         ResolveScope based on the reentry watchpoint, which luckily did the right thing with respect
1920         to OSR exit liveness (it splats a Phantom on its inputs, and it produces a constant result
1921         which is then set() normally).
1922         
1923         This appears to be a broad speed-up, albeit a small one. But mainly it unblocks bug 142229,
1924         which then should unblock bug 141174.
1925
1926         * dfg/DFGAbstractInterpreterInlines.h:
1927         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1928         * dfg/DFGByteCodeParser.cpp:
1929         (JSC::DFG::ByteCodeParser::get):
1930         (JSC::DFG::ByteCodeParser::getLocal):
1931         (JSC::DFG::ByteCodeParser::parseBlock):
1932         (JSC::DFG::ByteCodeParser::parse):
1933         * dfg/DFGClobberize.h:
1934         (JSC::DFG::clobberize):
1935         * dfg/DFGDoesGC.cpp:
1936         (JSC::DFG::doesGC):
1937         * dfg/DFGFixupPhase.cpp:
1938         (JSC::DFG::FixupPhase::fixupNode):
1939         * dfg/DFGGraph.cpp:
1940         (JSC::DFG::Graph::tryGetConstantClosureVar):
1941         (JSC::DFG::Graph::tryGetRegisters):
1942         (JSC::DFG::Graph::tryGetActivation): Deleted.
1943         * dfg/DFGGraph.h:
1944         * dfg/DFGNode.h:
1945         (JSC::DFG::Node::hasVariableWatchpointSet):
1946         (JSC::DFG::Node::hasSymbolTable): Deleted.
1947         (JSC::DFG::Node::symbolTable): Deleted.
1948         * dfg/DFGNodeType.h:
1949         * dfg/DFGPredictionPropagationPhase.cpp:
1950         (JSC::DFG::PredictionPropagationPhase::propagate):
1951         * dfg/DFGSafeToExecute.h:
1952         (JSC::DFG::safeToExecute):
1953         * dfg/DFGSpeculativeJIT32_64.cpp:
1954         (JSC::DFG::SpeculativeJIT::compile):
1955         * dfg/DFGSpeculativeJIT64.cpp:
1956         (JSC::DFG::SpeculativeJIT::compile):
1957         * dfg/DFGWatchpointCollectionPhase.cpp:
1958         (JSC::DFG::WatchpointCollectionPhase::handle):
1959         * ftl/FTLCapabilities.cpp:
1960         (JSC::FTL::canCompile):
1961         * ftl/FTLLowerDFGToLLVM.cpp:
1962         (JSC::FTL::LowerDFGToLLVM::compileNode):
1963         (JSC::FTL::LowerDFGToLLVM::compileGetClosureVar):
1964         * runtime/SymbolTable.cpp:
1965         (JSC::SymbolTable::visitChildren):
1966         (JSC::SymbolTable::localToEntry):
1967         (JSC::SymbolTable::entryFor):
1968         * runtime/SymbolTable.h:
1969         (JSC::SymbolTable::add):
1970         (JSC::SymbolTable::set):
1971         * tests/stress/function-expression-exit.js: Added.
1972         * tests/stress/function-reentry-infer-on-self.js: Added.
1973         (thingy):
1974         * tests/stress/goofy-function-reentry-incorrect-inference.js: Added.
1975
1976 2015-03-03  Anders Carlsson  <andersca@apple.com>
1977
1978         Remove unused compression code
1979         https://bugs.webkit.org/show_bug.cgi?id=142237
1980
1981         Reviewed by Geoffrey Garen.
1982
1983         * bytecode/UnlinkedCodeBlock.h:
1984
1985 2015-03-03  Filip Pizlo  <fpizlo@apple.com>
1986
1987         JIT debugging features that selectively disable the JITs for code blocks need to stay out of the way of the critical path of JIT management
1988         https://bugs.webkit.org/show_bug.cgi?id=142234
1989
1990         Reviewed by Mark Lam and Benjamin Poulain.
1991         
1992         Long ago, we used to selectively disable compilation of CodeBlocks for debugging purposes by
1993         adding hacks to DFGDriver.cpp.  This was all well and good.  It used the existing
1994         CompilationFailed mode of the DFG driver to signal failure of CodeBlocks that we didn't want
1995         to compile.  That's great because CompilationFailed is a well-supported return value on the
1996         critical path, usually used for when we run out of JIT memory.
1997
1998         Later, this was moved into DFGCapabilities. This was basically incorrect. It introduced a bug
1999         where disabling compiling of a CodeBlock meant that we stopped inlining it as well.  So if
2000         you had a compiler bug that arose if foo was inlined into bar, and you bisected down to bar,
2001         then foo would no longer get inlined and you wouldn't see the bug.  That's busted.
2002
2003         So then we changed the code in DFGCapabilities to mark bar as CanCompile and foo as
2004         CanInline. Now, foo wouldn't get compiled alone but it would get inlined.
2005
2006         But then we removed CanCompile because that capability mode only existed for the purpose of
2007         our old varargs hacks.  After that removal, "CanInline" became CannotCompile.  This means
2008         that if you bisect down on bar in the "foo inlined into bar" case, you'll crash in the DFG
2009         because the baseline JIT wouldn't have known to insert profiling on foo.
2010
2011         We could fix this by bringing back CanInline.
2012
2013         But this is all a pile of nonsense.  The debug support to selectively disable compilation of
2014         some CodeBlocks shouldn't cross-cut our entire engine and should most certainly never involve
2015         adding new capability modes.  This support is a hack at best and is for use by JSC hackers
2016         only.  It should be as unintrusive as possible.
2017
2018         So, as in the ancient times, the only proper place to put this hack is in DFGDriver.cpp, and
2019         return CompilationFailed.  This is correct not just because it takes capability modes out of
2020         the picture (and obviates the need to introduce new ones), but also because it means that
2021         disabling compilation doesn't change the profiling mode of other CodeBlocks in the Baseline
2022         JIT.  Capability mode influences profiling mode which in turn influences code generation in
2023         the Baseline JIT, sometimes in very significant ways - like, we sometimes do additional
2024         double-to-int conversions in Baseline if we know that we might tier-up into the DFG, since
2025         this buys us more precise profiling.
2026         
2027         This change reduces the intrusiveness of debugging hacks by making them use the very simple
2028         CompilationFailed mechanism rather than trying to influence capability modes. Capability
2029         modes have very subtle effects on the whole engine, while CompilationFailed just makes the
2030         engine pretend like the DFG compilation will happen at timelike infinity. That makes these
2031         hacks much more likely to continue working as we make other changes to the system.
2032         
2033         This brings back the ability to bisect down onto a function bar when bar inlines foo. Prior
2034         to this change, we would crash in that case.
2035
2036         * dfg/DFGCapabilities.cpp:
2037         (JSC::DFG::isSupported):
2038         (JSC::DFG::mightCompileEval):
2039         (JSC::DFG::mightCompileProgram):
2040         (JSC::DFG::mightCompileFunctionForCall):
2041         (JSC::DFG::mightCompileFunctionForConstruct):
2042         * dfg/DFGCapabilities.h:
2043         * dfg/DFGDriver.cpp:
2044         (JSC::DFG::compileImpl):
2045
2046 2015-03-03  peavo@outlook.com  <peavo@outlook.com>
2047
2048         [Win64] JSC compile error.
2049         https://bugs.webkit.org/show_bug.cgi?id=142216
2050
2051         Reviewed by Mark Lam.
2052
2053         There is missing a version of setupArgumentsWithExecState when NUMBER_OF_ARGUMENT_REGISTERS == 4.
2054
2055         * jit/CCallHelpers.h:
2056         (JSC::CCallHelpers::setupArgumentsWithExecState):
2057
2058 2015-03-02  Filip Pizlo  <fpizlo@apple.com>
2059
2060         DFG compile time measurements should really report milliseconds
2061         https://bugs.webkit.org/show_bug.cgi?id=142209
2062
2063         Reviewed by Benjamin Poulain.
2064         
2065         Fix this to record milliseconds instead of seconds.
2066
2067         * dfg/DFGPlan.cpp:
2068         (JSC::DFG::Plan::compileInThread):
2069         (JSC::DFG::Plan::compileInThreadImpl):
2070
2071 2015-03-02  Filip Pizlo  <fpizlo@apple.com>
2072
2073         Remove op_get_callee, it's unused
2074         https://bugs.webkit.org/show_bug.cgi?id=142206
2075
2076         Reviewed by Andreas Kling.
2077         
2078         It's a bit of a shame that we stopped using this opcode since it gives us same-callee
2079         profiling. But, if we were to add this functionality back in, we would almost certainly do
2080         it by adding a JSFunction allocation watchpoint on FunctionExecutable.
2081
2082         * bytecode/BytecodeList.json:
2083         * bytecode/BytecodeUseDef.h:
2084         (JSC::computeUsesForBytecodeOffset):
2085         (JSC::computeDefsForBytecodeOffset):
2086         * bytecode/CodeBlock.cpp:
2087         (JSC::CodeBlock::dumpBytecode):
2088         (JSC::CodeBlock::finalizeUnconditionally):
2089         * dfg/DFGByteCodeParser.cpp:
2090         (JSC::DFG::ByteCodeParser::parseBlock):
2091         * dfg/DFGCapabilities.cpp:
2092         (JSC::DFG::capabilityLevel):
2093         * jit/JIT.cpp:
2094         (JSC::JIT::privateCompileMainPass):
2095         (JSC::JIT::privateCompileSlowCases):
2096         * jit/JIT.h:
2097         * jit/JITOpcodes.cpp:
2098         (JSC::JIT::emit_op_get_callee): Deleted.
2099         (JSC::JIT::emitSlow_op_get_callee): Deleted.
2100         * jit/JITOpcodes32_64.cpp:
2101         (JSC::JIT::emit_op_get_callee): Deleted.
2102         (JSC::JIT::emitSlow_op_get_callee): Deleted.
2103         * llint/LowLevelInterpreter32_64.asm:
2104         * llint/LowLevelInterpreter64.asm:
2105         * runtime/CommonSlowPaths.cpp:
2106         (JSC::SLOW_PATH_DECL): Deleted.
2107
2108 2015-03-02  Joseph Pecoraro  <pecoraro@apple.com>
2109
2110         Web Inspector: Context Menu to Log a Particular Object
2111         https://bugs.webkit.org/show_bug.cgi?id=142198
2112
2113         Reviewed by Timothy Hatcher.
2114
2115         Add a protocol method to assign a $n index to a value. For an object
2116         use the injected script context for that object. For a value, use
2117         the execution context to know where to save the value.
2118
2119         * inspector/InjectedScript.cpp:
2120         (Inspector::InjectedScript::saveResult):
2121         * inspector/InjectedScript.h:
2122         * inspector/InjectedScriptSource.js:
2123         * inspector/agents/InspectorRuntimeAgent.cpp:
2124         (Inspector::InspectorRuntimeAgent::saveResult):
2125         * inspector/agents/InspectorRuntimeAgent.h:
2126         * inspector/protocol/Debugger.json:
2127         * inspector/protocol/Runtime.json:
2128
2129 2015-03-02  Filip Pizlo  <fpizlo@apple.com>
2130
2131         SpeculativeJIT::emitAllocateArguments() should be a bit faster, and shouldn't do destructor initialization
2132         https://bugs.webkit.org/show_bug.cgi?id=142197
2133
2134         Reviewed by Geoffrey Garen.
2135
2136         * dfg/DFGSpeculativeJIT.cpp:
2137         (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Use shift instead of mul, since mul doesn't automatically strength-reduce to shift. Also pass the structure as a TrustedImmPtr.
2138         * dfg/DFGSpeculativeJIT.h:
2139         (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject): Rationalize this a bit. The other emitAllocate... methods take a templated structure so that it can be either a TrustedImmPtr or a register. Also don't do destructor initialization, since its one client doesn't need it, and it's actually probably wrong.
2140
2141 2015-03-02  Mark Lam  <mark.lam@apple.com>
2142
2143         Exception stack unwinding in JSC hangs while the Timeline Profiler is enabled.
2144         <https://webkit.org/b/142191>
2145
2146         Reviewed by Geoffrey Garen.
2147
2148         Imagine a scenario where the Inspector is paused / suspended at a breakpoint or
2149         while the user is stepping through JS code. The user then tries to evaluate an
2150         expression in the console, and that evaluation results in an exception being
2151         thrown. Currently, if the Timeline Profiler is enabled while this exception is
2152         being thrown, the WebProcess will hang while trying to handle that exception.
2153
2154         The issue is that the Timeline Profiler's ProfileGenerator::didExecute() will
2155         return early and decline to process ProfileNodes if the Inspector is paused.
2156         This is proper because it does not want to count work done for injected scripts
2157         (e.g. from the console) towards the timeline profile of the webpage being run.
2158         However, this is in conflict with ProfileGenerator::exceptionUnwind()'s
2159         expectation that didExecute() will process ProfileNodes in order to do the stack
2160         unwinding for the exception handling. As a result,
2161         ProfileGenerator::exceptionUnwind() hangs.
2162
2163         ProfileGenerator::exceptionUnwind() is in error. While the Inspector is paused,
2164         there will not be any ProfileNodes that it needs to "unwind". Hence, the fix is
2165         simply to return early also in ProfileGenerator::exceptionUnwind() if the
2166         Inspector is paused.
2167
2168         * profiler/ProfileGenerator.cpp:
2169         (JSC::ProfileGenerator::exceptionUnwind):
2170
2171 2015-03-02  Filip Pizlo  <fpizlo@apple.com>
2172
2173         FTL should correctly document where it puts the argument count for inlined varargs frames
2174         https://bugs.webkit.org/show_bug.cgi?id=142187
2175
2176         Reviewed by Geoffrey Garn.
2177         
2178         After LLVM tells us where the captured variables alloca landed in the frame, we need to
2179         tell all of our meta-data about it. We were forgetting to do so for the argument count
2180         register, which is used by inlined varargs calls.
2181
2182         * ftl/FTLCompile.cpp:
2183         (JSC::FTL::mmAllocateDataSection):
2184         * tests/stress/inline-varargs-get-arguments.js: Added.
2185         (foo):
2186         (bar):
2187         (baz):
2188
2189 2015-03-02  Filip Pizlo  <fpizlo@apple.com>
2190
2191         Deduplicate slow path calling code in JITOpcodes.cpp/JITOpcodes32_64.cpp
2192         https://bugs.webkit.org/show_bug.cgi?id=142184
2193
2194         Reviewed by Michael Saboff.
2195
2196         * jit/JITOpcodes.cpp:
2197         (JSC::JIT::emit_op_get_enumerable_length):
2198         (JSC::JIT::emitSlow_op_has_structure_property):
2199         (JSC::JIT::emit_op_has_generic_property):
2200         (JSC::JIT::emit_op_get_structure_property_enumerator):
2201         (JSC::JIT::emit_op_get_generic_property_enumerator):
2202         (JSC::JIT::emit_op_to_index_string):
2203         * jit/JITOpcodes32_64.cpp:
2204         (JSC::JIT::emit_op_get_enumerable_length): Deleted.
2205         (JSC::JIT::emitSlow_op_has_structure_property): Deleted.
2206         (JSC::JIT::emit_op_has_generic_property): Deleted.
2207         (JSC::JIT::emit_op_get_structure_property_enumerator): Deleted.
2208         (JSC::JIT::emit_op_get_generic_property_enumerator): Deleted.
2209         (JSC::JIT::emit_op_to_index_string): Deleted.
2210         (JSC::JIT::emit_op_profile_control_flow): Deleted.
2211
2212 2015-03-02  Antti Koivisto  <antti@apple.com>
2213
2214         Add way to dump cache meta data to file
2215         https://bugs.webkit.org/show_bug.cgi?id=142183
2216
2217         Reviewed by Andreas Kling.
2218
2219         Export appendQuotedJSONStringToBuilder.
2220
2221         * bytecompiler/NodesCodegen.cpp:
2222         (JSC::ObjectPatternNode::toString):
2223         * runtime/JSONObject.cpp:
2224         (JSC::appendQuotedJSONStringToBuilder):
2225         (JSC::Stringifier::appendQuotedString):
2226         (JSC::escapeStringToBuilder): Deleted.
2227         * runtime/JSONObject.h:
2228
2229 2015-03-02  Joseph Pecoraro  <pecoraro@apple.com>
2230
2231         Web Inspector: Add Context Menus to Object Tree properties
2232         https://bugs.webkit.org/show_bug.cgi?id=142125
2233
2234         Reviewed by Timothy Hatcher.
2235
2236         * inspector/JSInjectedScriptHost.cpp:
2237         (Inspector::JSInjectedScriptHost::functionDetails):
2238         Update to include columnNumber.
2239
2240 2015-03-01  Filip Pizlo  <fpizlo@apple.com>
2241
2242         BytecodeGenerator shouldn't emit op_resolve_scope as a roundabout way of returning the scopeRegister
2243         https://bugs.webkit.org/show_bug.cgi?id=142153
2244
2245         Reviewed by Michael Saboff.
2246         
2247         We don't need a op_resolve_scope if we know that it will simply return the scope register.
2248         This changes the BytecodeGenerator to use the scope register directly in those cases where
2249         we know statically that we would just have returned that from op_resolve_scope.
2250         
2251         This doesn't appear to have a significant impact on performance.
2252
2253         * bytecode/CodeBlock.cpp:
2254         (JSC::CodeBlock::CodeBlock):
2255         * bytecompiler/BytecodeGenerator.cpp:
2256         (JSC::BytecodeGenerator::emitResolveScope):
2257         (JSC::BytecodeGenerator::emitReturn):
2258         (JSC::BytecodeGenerator::emitGetOwnScope): Deleted.
2259         * bytecompiler/BytecodeGenerator.h:
2260         * bytecompiler/NodesCodegen.cpp:
2261         (JSC::ResolveNode::emitBytecode):
2262         (JSC::EvalFunctionCallNode::emitBytecode):
2263         (JSC::FunctionCallResolveNode::emitBytecode):
2264         (JSC::PostfixNode::emitResolve):
2265         (JSC::DeleteResolveNode::emitBytecode):
2266         (JSC::TypeOfResolveNode::emitBytecode):
2267         (JSC::PrefixNode::emitResolve):
2268         (JSC::ReadModifyResolveNode::emitBytecode):
2269         (JSC::AssignResolveNode::emitBytecode):
2270         (JSC::ConstDeclNode::emitCodeSingle):
2271         (JSC::EmptyVarExpression::emitBytecode):
2272         (JSC::ForInNode::emitLoopHeader):
2273         (JSC::ForOfNode::emitBytecode):
2274         (JSC::BindingNode::bindValue):
2275
2276 2015-02-27  Benjamin Poulain  <bpoulain@apple.com>
2277
2278         [JSC] Use the way number constants are written to help type speculation
2279         https://bugs.webkit.org/show_bug.cgi?id=142072
2280
2281         Reviewed by Filip Pizlo.
2282
2283         This patch changes how we interpret numeric constant based on how they appear
2284         in the source.
2285
2286         Constants that are integers but written with a decimal point now carry that information
2287         to the optimizating tiers. From there, we use that to be more aggressive about typing
2288         math operations toward double operations.
2289
2290         For example, in:
2291             var a = x + 1.0;
2292             var b = y + 1;
2293         The Add for a would be biased toward doubles, the Add for b would speculate
2294         integer as usual.
2295
2296
2297         The gains are tiny but this is a prerequisite to make my next patch useful:
2298         -SunSpider's access-fannkuch: definitely 1.0661x faster
2299         -SunSpider's math-cordic: definitely 1.0266x slower
2300             overal: might be 1.0066x slower.
2301         -Kraken's imaging-darkroom: definitely 1.0333x faster.
2302
2303         * parser/Lexer.cpp:
2304         (JSC::tokenTypeForIntegerLikeToken):
2305         (JSC::Lexer<T>::lex):
2306         The lexer now create two types of tokens for number: INTEGER and DOUBLE.
2307         Those token types only carry information about how the values were
2308         entered, an INTEGER does not have to be an integer, it is only written like one.
2309         Large integer still end up represented as double in memory.
2310
2311         One trap I fell into was typing numbers like 12e3 as double. This kind of literal
2312         is frequently used in integer-typed code, while 12.e3 would appear in double-typed
2313         code.
2314         Because of that, the only signals for double are: decimal point, negative zero,
2315         and ridiculously large values.
2316
2317         * parser/NodeConstructors.h:
2318         (JSC::DoubleNode::DoubleNode):
2319         (JSC::IntegerNode::IntegerNode):
2320         * parser/Nodes.h:
2321         (JSC::NumberNode::value):
2322         (JSC::NumberNode::setValue): Deleted.
2323         Number get specialized in two new kind of nodes in the AST: IntegerNode and DoubleNode.
2324
2325         * bytecompiler/NodesCodegen.cpp:
2326         (JSC::NumberNode::emitBytecode):
2327
2328         * parser/ASTBuilder.h:
2329         (JSC::ASTBuilder::createDoubleExpr):
2330         (JSC::ASTBuilder::createIntegerExpr):
2331         (JSC::ASTBuilder::createIntegerLikeNumber):
2332         (JSC::ASTBuilder::createDoubleLikeNumber):
2333         (JSC::ASTBuilder::createNumberFromBinaryOperation):
2334         (JSC::ASTBuilder::createNumberFromUnaryOperation):
2335         (JSC::ASTBuilder::makeNegateNode):
2336         (JSC::ASTBuilder::makeBitwiseNotNode):
2337         (JSC::ASTBuilder::makeMultNode):
2338         (JSC::ASTBuilder::makeDivNode):
2339         (JSC::ASTBuilder::makeModNode):
2340         (JSC::ASTBuilder::makeAddNode):
2341         (JSC::ASTBuilder::makeSubNode):
2342         (JSC::ASTBuilder::makeLeftShiftNode):
2343         (JSC::ASTBuilder::makeRightShiftNode):
2344         (JSC::ASTBuilder::makeURightShiftNode):
2345         (JSC::ASTBuilder::makeBitOrNode):
2346         (JSC::ASTBuilder::makeBitAndNode):
2347         (JSC::ASTBuilder::makeBitXOrNode):
2348         (JSC::ASTBuilder::createNumberExpr): Deleted.
2349         (JSC::ASTBuilder::createNumber): Deleted.
2350         The AST has some optimization to resolve constants before emitting bytecode.
2351         In the new code, the intger representation is kept if both operands where
2352         also represented as integers.
2353
2354         * parser/Parser.cpp:
2355         (JSC::Parser<LexerType>::parseDeconstructionPattern):
2356         (JSC::Parser<LexerType>::parseProperty):
2357         (JSC::Parser<LexerType>::parseGetterSetter):
2358         (JSC::Parser<LexerType>::parsePrimaryExpression):
2359         (JSC::Parser<LexerType>::printUnexpectedTokenText):
2360         * parser/ParserTokens.h:
2361         * parser/SyntaxChecker.h:
2362         (JSC::SyntaxChecker::createDoubleExpr):
2363         (JSC::SyntaxChecker::createIntegerExpr):
2364         (JSC::SyntaxChecker::createNumberExpr): Deleted.
2365
2366         * bytecode/CodeBlock.cpp:
2367         (JSC::CodeBlock::registerName):
2368         (JSC::CodeBlock::constantName):
2369         Change constantName(r, getConstant(r)) -> constantName(r) to simplify
2370         the dump code.
2371
2372         (JSC::CodeBlock::dumpBytecode):
2373         Dump thre soure representation information we have with each constant.
2374
2375         (JSC::CodeBlock::CodeBlock):
2376         (JSC::CodeBlock::shrinkToFit):
2377         (JSC::constantName): Deleted.
2378         * bytecode/CodeBlock.h:
2379         (JSC::CodeBlock::constantsSourceCodeRepresentation):
2380         (JSC::CodeBlock::addConstant):
2381         (JSC::CodeBlock::addConstantLazily):
2382         (JSC::CodeBlock::constantSourceCodeRepresentation):
2383         (JSC::CodeBlock::setConstantRegisters):
2384
2385         * bytecode/UnlinkedCodeBlock.h:
2386         (JSC::UnlinkedCodeBlock::addConstant):
2387         (JSC::UnlinkedCodeBlock::constantsSourceCodeRepresentation):
2388         (JSC::UnlinkedCodeBlock::shrinkToFit):
2389
2390         * bytecompiler/BytecodeGenerator.cpp:
2391         (JSC::BytecodeGenerator::addConstantValue):
2392         (JSC::BytecodeGenerator::emitLoad):
2393         * bytecompiler/BytecodeGenerator.h:
2394         We have to differentiate between constants that have the same values but are
2395         represented differently in the source. Values like 1.0 and 1 now end up
2396         as different constants.
2397
2398         * dfg/DFGByteCodeParser.cpp:
2399         (JSC::DFG::ByteCodeParser::get):
2400         (JSC::DFG::ByteCodeParser::addConstantToGraph):
2401         * dfg/DFGGraph.cpp:
2402         (JSC::DFG::Graph::registerFrozenValues):
2403         * dfg/DFGGraph.h:
2404         (JSC::DFG::Graph::addSpeculationMode):
2405         (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
2406         ArithAdd is very aggressive toward using Int52, which is quite useful
2407         in many benchmarks.
2408
2409         Here we need to specialize to make sure we don't force our literals
2410         to Int52 if there were represented as double.
2411
2412         There is one exception to that rule: when the other operand is guaranteed
2413         to come from a NodeResultInt32. This is because there is some weird code
2414         doing stuff like:
2415             var b = a|0;
2416             var c = b*2.0;
2417
2418         * dfg/DFGNode.h:
2419         (JSC::DFG::Node::Node):
2420         (JSC::DFG::Node::setOpAndDefaultFlags):
2421         (JSC::DFG::Node::sourceCodeRepresentation):
2422         * dfg/DFGPredictionPropagationPhase.cpp:
2423         (JSC::DFG::PredictionPropagationPhase::propagate):
2424         * runtime/JSCJSValue.h:
2425         (JSC::EncodedJSValueWithRepresentationHashTraits::emptyValue):
2426         (JSC::EncodedJSValueWithRepresentationHashTraits::constructDeletedValue):
2427         (JSC::EncodedJSValueWithRepresentationHashTraits::isDeletedValue):
2428         (JSC::EncodedJSValueWithRepresentationHash::hash):
2429         (JSC::EncodedJSValueWithRepresentationHash::equal):
2430         * tests/stress/arith-add-with-constants.js: Added.
2431         * tests/stress/arith-mul-with-constants.js: Added.
2432
2433 2015-02-26  Filip Pizlo  <fpizlo@apple.com>
2434
2435         Unreviewed, roll out r180723. It broke a bunch of tests.
2436
2437         * bytecompiler/BytecodeGenerator.cpp:
2438         (JSC::BytecodeGenerator::constLocal):
2439         * bytecompiler/BytecodeGenerator.h:
2440         * bytecompiler/NodesCodegen.cpp:
2441         (JSC::ConstDeclNode::emitCodeSingle):
2442         * tests/stress/const-arguments.js: Removed.
2443
2444 2015-02-26  Mark Lam  <mark.lam@apple.com>
2445
2446         Assertion fix for r180711: The bool returning form of BytecodeGenerator::addVar() can be removed.
2447         <https://webkit.org/b/142064>
2448
2449         Reviewed by Joseph Pecoraro.
2450
2451         * bytecompiler/BytecodeGenerator.cpp:
2452         (JSC::BytecodeGenerator::addVar):
2453
2454 2015-02-26  Mark Lam  <mark.lam@apple.com>
2455
2456         MachineThreads::Thread clean up has a use after free race condition.
2457         <https://webkit.org/b/141990>
2458
2459         Reviewed by Filip Pizlo.
2460
2461         MachineThreads::Thread clean up relies on the clean up mechanism
2462         implemented in _pthread_tsd_cleanup_key(), which looks like this:
2463
2464         void _pthread_tsd_cleanup_key(pthread_t self, pthread_key_t key)
2465         {
2466             void (*destructor)(void *);
2467             if (_pthread_key_get_destructor(key, &destructor)) {
2468                 void **ptr = &self->tsd[key];
2469                 void *value = *ptr;
2470
2471             // === Start of window for the bug to manifest =================
2472
2473                 // At this point, this thread has cached "destructor" and "value"
2474                 // (which is a MachineThreads*).  If the VM gets destructed (along
2475                 // with its MachineThreads registry) by another thread, then this
2476                 // thread will have no way of knowing that the MachineThreads* is
2477                 // now pointing to freed memory.  Calling the destructor below will
2478                 // therefore result in a use after free scenario when it tries to
2479                 // access the MachineThreads' data members.
2480
2481                 if (value) {
2482                     *ptr = NULL;
2483                     if (destructor) {
2484
2485             // === End of window for the bug to manifest ==================
2486
2487                         destructor(value);
2488                     }
2489                 }
2490             }
2491         }
2492
2493         The fix is to add each active MachineThreads to an ActiveMachineThreadsManager,
2494         and always check if the manager still contains that MachineThreads object
2495         before we call removeCurrentThread() on it.  When MachineThreads is destructed,
2496         it will remove itself from the manager.  The add, remove, and checking
2497         operations are all synchronized on the manager's lock, thereby ensuring that
2498         the MachineThreads object, if found in the manager, will remain alive for the
2499         duration of time we call removeCurrentThread() on it.
2500
2501         There's also possible for the MachineThreads object to already be destructed
2502         and another one happened to have been instantiated at the same address.
2503         Hence, we should only remove the exiting thread if it is found in the
2504         MachineThreads object.
2505
2506         There is no test for this issue because this bug requires a race condition
2507         between 2 threads where:
2508         1. Thread B, which had previously used the VM, exiting and
2509            getting to the bug window shown in _pthread_tsd_cleanup_key() above.
2510         2. Thread A destructing the VM (and its MachineThreads object)
2511            within that window of time before Thread B calls the destructor.
2512
2513         It is not possible to get a reliable test case without invasively
2514         instrumenting _pthread_tsd_cleanup_key() or MachineThreads::removeCurrentThread()
2515         to significantly increase that window of opportunity.
2516
2517         * heap/MachineStackMarker.cpp:
2518         (JSC::ActiveMachineThreadsManager::Locker::Locker):
2519         (JSC::ActiveMachineThreadsManager::add):
2520         (JSC::ActiveMachineThreadsManager::remove):
2521         (JSC::ActiveMachineThreadsManager::contains):
2522         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager):
2523         (JSC::activeMachineThreadsManager):
2524         (JSC::MachineThreads::MachineThreads):
2525         (JSC::MachineThreads::~MachineThreads):
2526         (JSC::MachineThreads::removeThread):
2527         (JSC::MachineThreads::removeThreadIfFound):
2528         (JSC::MachineThreads::removeCurrentThread): Deleted.
2529         * heap/MachineStackMarker.h:
2530
2531 2015-02-26  Joseph Pecoraro  <pecoraro@apple.com>
2532
2533         Web Inspector: Save Console Evaluations into Command Line variables $1-$99 ($n)
2534         https://bugs.webkit.org/show_bug.cgi?id=142061
2535
2536         Reviewed by Timothy Hatcher.
2537
2538         * inspector/protocol/Debugger.json:
2539         * inspector/protocol/Runtime.json:
2540         Input flag "saveResult" on whether we should try to save a result.
2541         Output int "savedResultIndex" to tell the frontend the saved state.
2542
2543         * inspector/InjectedScriptSource.js:
2544         Handle saving and clearing $1-$99 values.
2545         Include in BasicCommandLineAPI for JSContext inspection.
2546
2547         * inspector/InjectedScriptBase.cpp:
2548         (Inspector::InjectedScriptBase::makeEvalCall):
2549         * inspector/InjectedScriptBase.h:
2550         Allow an optional "savedResultIndex" out value on evals.
2551
2552         * inspector/InjectedScript.cpp:
2553         (Inspector::InjectedScript::evaluate):
2554         (Inspector::InjectedScript::evaluateOnCallFrame):
2555         * inspector/InjectedScript.h:
2556         * inspector/agents/InspectorDebuggerAgent.cpp:
2557         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
2558         * inspector/agents/InspectorDebuggerAgent.h:
2559         * inspector/agents/InspectorRuntimeAgent.cpp:
2560         (Inspector::InspectorRuntimeAgent::evaluate):
2561         * inspector/agents/InspectorRuntimeAgent.h:
2562         Plumbing for new in and out parameters.
2563
2564 2015-02-26  Filip Pizlo  <fpizlo@apple.com>
2565
2566         The bool returning form of BytecodeGenerator::addVar() can be removed
2567         https://bugs.webkit.org/show_bug.cgi?id=142064
2568
2569         Reviewed by Mark Lam.
2570         
2571         It's easier to implement addVar() when you don't have to return whether it's a new
2572         variable or not.
2573
2574         * bytecompiler/BytecodeGenerator.cpp:
2575         (JSC::BytecodeGenerator::addVar):
2576         * bytecompiler/BytecodeGenerator.h:
2577         (JSC::BytecodeGenerator::addVar): Deleted.
2578
2579 2015-02-26  Filip Pizlo  <fpizlo@apple.com>
2580
2581         Various array access corner cases should take OSR exit feedback
2582         https://bugs.webkit.org/show_bug.cgi?id=142056
2583
2584         Reviewed by Geoffrey Garen.
2585         
2586         Two major changes here:
2587         
2588         - Don't keep converting GetById into GetArrayLength if we exited due to any kind of array
2589           type check.
2590         
2591         - Use a generic form of GetByVal/PutByVal if we exited due to any kind of exotic checks,
2592           like the Arguments safety checks. We use the "ExoticObjectMode" for out-of-bounds on
2593           arguments for now, since it's a convenient way of forcing out-of-bounds to be handled by
2594           the Generic array mode.
2595
2596         * bytecode/ExitKind.cpp:
2597         (JSC::exitKindToString):
2598         * bytecode/ExitKind.h:
2599         * dfg/DFGArrayMode.cpp:
2600         (JSC::DFG::ArrayMode::refine):
2601         * dfg/DFGFixupPhase.cpp:
2602         (JSC::DFG::FixupPhase::fixupNode):
2603         * dfg/DFGSpeculativeJIT.cpp:
2604         (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
2605         (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
2606         * tests/stress/array-length-array-storage-plain-object.js: Added.
2607         (foo):
2608         * tests/stress/array-length-plain-object.js: Added.
2609         (foo):
2610
2611 2015-02-25  Filip Pizlo  <fpizlo@apple.com>
2612
2613         DFG SSA stack accesses shouldn't speak of VariableAccessDatas
2614         https://bugs.webkit.org/show_bug.cgi?id=142036
2615
2616         Reviewed by Michael Saboff.
2617         
2618         VariableAccessData is a useful thing in LoadStore and ThreadedCPS, but it's purely harmful in
2619         SSA because you can't cook up new VariableAccessDatas. So, if you know that you want to load
2620         or store to the stack, and you know what format to use as well as the location, then prior to
2621         this patch you couldn't do it unless you found some existing VariableAccessData that matched
2622         your requirements. That can be a hard task.
2623         
2624         It's better if SSA doesn't speak of VariableAccessDatas but instead just has stack accesses
2625         that speak of the things that a stack access needs: local, machineLocal, and format. This
2626         patch changes the SSA way of accessing the stack to do just that.
2627         
2628         Also add more IR validation.
2629
2630         * CMakeLists.txt:
2631         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2632         * JavaScriptCore.xcodeproj/project.pbxproj:
2633         * dfg/DFGAbstractInterpreterInlines.h:
2634         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2635         * dfg/DFGClobberize.h:
2636         (JSC::DFG::clobberize):
2637         * dfg/DFGConstantFoldingPhase.cpp:
2638         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2639         * dfg/DFGDoesGC.cpp:
2640         (JSC::DFG::doesGC):
2641         * dfg/DFGFixupPhase.cpp:
2642         (JSC::DFG::FixupPhase::fixupNode):
2643         * dfg/DFGFlushFormat.h:
2644         (JSC::DFG::isConcrete):
2645         * dfg/DFGGraph.cpp:
2646         (JSC::DFG::Graph::dump):
2647         * dfg/DFGGraph.h:
2648         * dfg/DFGMayExit.cpp:
2649         (JSC::DFG::mayExit):
2650         * dfg/DFGNode.cpp:
2651         (JSC::DFG::Node::hasVariableAccessData):
2652         * dfg/DFGNode.h:
2653         (JSC::DFG::StackAccessData::StackAccessData):
2654         (JSC::DFG::StackAccessData::flushedAt):
2655         (JSC::DFG::Node::convertToPutStack):
2656         (JSC::DFG::Node::convertToGetStack):
2657         (JSC::DFG::Node::hasUnlinkedLocal):
2658         (JSC::DFG::Node::hasStackAccessData):
2659         (JSC::DFG::Node::stackAccessData):
2660         (JSC::DFG::Node::willHaveCodeGenOrOSR):
2661         * dfg/DFGNodeType.h:
2662         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
2663         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
2664         * dfg/DFGPlan.cpp:
2665         (JSC::DFG::Plan::compileInThreadImpl):
2666         * dfg/DFGPredictionPropagationPhase.cpp:
2667         (JSC::DFG::PredictionPropagationPhase::propagate):
2668         * dfg/DFGPutLocalSinkingPhase.cpp: Removed.
2669         * dfg/DFGPutLocalSinkingPhase.h: Removed.
2670         * dfg/DFGPutStackSinkingPhase.cpp: Copied from Source/JavaScriptCore/dfg/DFGPutLocalSinkingPhase.cpp.
2671         (JSC::DFG::performPutStackSinking):
2672         (JSC::DFG::performPutLocalSinking): Deleted.
2673         * dfg/DFGPutStackSinkingPhase.h: Copied from Source/JavaScriptCore/dfg/DFGPutLocalSinkingPhase.h.
2674         * dfg/DFGSSAConversionPhase.cpp:
2675         (JSC::DFG::SSAConversionPhase::run):
2676         * dfg/DFGSafeToExecute.h:
2677         (JSC::DFG::safeToExecute):
2678         * dfg/DFGSpeculativeJIT32_64.cpp:
2679         (JSC::DFG::SpeculativeJIT::compile):
2680         * dfg/DFGSpeculativeJIT64.cpp:
2681         (JSC::DFG::SpeculativeJIT::compile):
2682         * dfg/DFGStackLayoutPhase.cpp:
2683         (JSC::DFG::StackLayoutPhase::run):
2684         * dfg/DFGValidate.cpp:
2685         (JSC::DFG::Validate::validate):
2686         (JSC::DFG::Validate::validateCPS):
2687         (JSC::DFG::Validate::validateSSA):
2688         * dfg/DFGVirtualRegisterAllocationPhase.cpp:
2689         (JSC::DFG::VirtualRegisterAllocationPhase::run):
2690         * ftl/FTLCapabilities.cpp:
2691         (JSC::FTL::canCompile):
2692         * ftl/FTLLowerDFGToLLVM.cpp:
2693         (JSC::FTL::LowerDFGToLLVM::lower):
2694         (JSC::FTL::LowerDFGToLLVM::compileNode):
2695         (JSC::FTL::LowerDFGToLLVM::compileGetStack):
2696         (JSC::FTL::LowerDFGToLLVM::compilePutStack):
2697         (JSC::FTL::LowerDFGToLLVM::compileGetLocal): Deleted.
2698         (JSC::FTL::LowerDFGToLLVM::compilePutLocal): Deleted.
2699         * ftl/FTLOSRExit.h:
2700         * tests/stress/many-sunken-locals.js: Added. This failure mode was caught by some miscellaneous test, so I figured I should write an explicit test for it.
2701         (foo):
2702         (bar):
2703         (baz):
2704         (fuzz):
2705         (buzz):
2706
2707 2015-02-26  Mark Lam  <mark.lam@apple.com>
2708
2709         Rolling out r180602, r180608, r180613, r180617, r180671.
2710         <https://webkit.org/b/141990>
2711
2712         Not reviewed.
2713
2714         The r180602 solution does result in more work for GC when worker
2715         threads are in use.  Filip is uncomfortable with that.
2716         The EFL and GTK ports also seem to be unhappy with this change.
2717         Rolling out while we investigate.
2718
2719         * heap/Heap.cpp:
2720         (JSC::Heap::Heap):
2721         (JSC::Heap::gatherStackRoots):
2722         (JSC::Heap::machineThreads): Deleted.
2723         * heap/Heap.h:
2724         (JSC::Heap::machineThreads):
2725         * heap/MachineStackMarker.cpp:
2726         (JSC::MachineThreads::MachineThreads):
2727         (JSC::MachineThreads::~MachineThreads):
2728         (JSC::MachineThreads::addCurrentThread):
2729         * heap/MachineStackMarker.h:
2730         * runtime/JSLock.cpp:
2731         (JSC::JSLock::didAcquireLock):
2732
2733 2015-02-26  Myles C. Maxfield  <mmaxfield@apple.com>
2734
2735         [Mac] [iOS] Parsing support for -apple-trailing-word
2736         https://bugs.webkit.org/show_bug.cgi?id=141939
2737
2738         Reviewed by Andreas Kling.
2739
2740         * Configurations/FeatureDefines.xcconfig:
2741
2742 2015-02-26  Michael Saboff  <msaboff@apple.com>
2743
2744         [Win] Debug-only JavaScriptCore failures
2745         https://bugs.webkit.org/show_bug.cgi?id=142045
2746
2747         Rubber stamped by Filip Pizlo.
2748
2749         Reduced loop count to a more reasonable value of 10,000.  This still gets us to tier up
2750         to the FTL, but doesn't take too long to run.
2751
2752         * tests/stress/repeated-arity-check-fail.js:
2753
2754 2015-02-26  Brent Fulgham  <bfulgham@apple.com>
2755
2756         [Win] Make build logs more legible by reducing noise
2757         https://bugs.webkit.org/show_bug.cgi?id=142034
2758
2759         Reviewed by Alexey Proskuryakov.
2760
2761         Modify batch files, makefiles, and DOS commands to remove
2762         uninteresting/unhelpful output.
2763
2764         * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
2765         * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd:
2766         * JavaScriptCore.vcxproj/copy-files.cmd:
2767         * JavaScriptCore.vcxproj/jsc/jscLauncherPreBuild.cmd:
2768         * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd:
2769         * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPreBuild.cmd:
2770         * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd:
2771         * JavaScriptCore.vcxproj/testapi/testapiLauncherPostBuild.cmd:
2772         * JavaScriptCore.vcxproj/testapi/testapiLauncherPreBuild.cmd:
2773         * JavaScriptCore.vcxproj/testapi/testapiPostBuild.cmd:
2774         * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd:
2775
2776 2015-02-26  Csaba Osztrogonác  <ossy@webkit.org>
2777
2778         Add calleeSaveRegisters() implementation for ARM Traditional
2779         https://bugs.webkit.org/show_bug.cgi?id=141903
2780
2781         Reviewed by Darin Adler.
2782
2783         * jit/RegisterSet.cpp:
2784         (JSC::RegisterSet::calleeSaveRegisters):
2785
2786 2015-02-25  Michael Saboff  <msaboff@apple.com>
2787
2788         Web Inspector: CRASH when debugger pauses inside a Promise handler
2789         https://bugs.webkit.org/show_bug.cgi?id=141396
2790
2791         Reviewed by Mark Lam.
2792
2793         For frames that don't have a scope, typically native frames, use the lexicalGlobalObject to
2794         create the DebuggerScope for that frame.
2795
2796         * debugger/DebuggerCallFrame.cpp:
2797         (JSC::DebuggerCallFrame::scope):
2798
2799 2015-02-25  Filip Pizlo  <fpizlo@apple.com>
2800
2801         DFG abstract heaps should respect the difference between heap and stack
2802         https://bugs.webkit.org/show_bug.cgi?id=142022
2803
2804         Reviewed by Geoffrey Garen.
2805         
2806         We will soon (https://bugs.webkit.org/show_bug.cgi?id=141174) be in a world where a "world
2807         clobbering" operation cannot write to our stack, but may be able to read from it. This
2808         means that we need to change the DFG abstract heap hierarchy to have a notion of Heap that
2809         subsumes all that World previously subsumed, and a new notion of Stack that is a subtype
2810         of World and a sibling of Heap.
2811
2812         So, henceforth "clobbering the world" means reading World and writing Heap.
2813         
2814         This makes a bunch of changes to make this work, including changing the implementation of
2815         disjointness in AbstractHeap to make it support a more general hierarchy. I was expecting
2816         a slow-down, but I measured the heck out of this and found no perf difference.
2817
2818         * dfg/DFGAbstractHeap.cpp:
2819         (JSC::DFG::AbstractHeap::dump):
2820         * dfg/DFGAbstractHeap.h:
2821         (JSC::DFG::AbstractHeap::supertype):
2822         (JSC::DFG::AbstractHeap::isStrictSubtypeOf):
2823         (JSC::DFG::AbstractHeap::isSubtypeOf):
2824         (JSC::DFG::AbstractHeap::overlaps):
2825         (JSC::DFG::AbstractHeap::isDisjoint):
2826         * dfg/DFGClobberize.cpp:
2827         (JSC::DFG::clobbersHeap):
2828         (JSC::DFG::clobbersWorld): Deleted.
2829         * dfg/DFGClobberize.h:
2830         (JSC::DFG::clobberize):
2831         * dfg/DFGDoesGC.cpp:
2832         (JSC::DFG::doesGC):
2833
2834 2015-02-25  Ryosuke Niwa  <rniwa@webkit.org>
2835
2836         REGRESSION(r180595): construct varargs fails in FTL
2837         https://bugs.webkit.org/show_bug.cgi?id=142030
2838
2839         Reviewed by Geoffrey Garen.
2840
2841         The bug was caused by IC size being too small for construct_varargs even though we've added a new argument.
2842         Fixed the bug by increasing the IC size to match call_varargs.
2843
2844         * ftl/FTLInlineCacheSize.cpp:
2845         (JSC::FTL::sizeOfConstructVarargs):
2846
2847 2015-02-25  Mark Lam  <mark.lam@apple.com>
2848
2849         ASan does not like JSC::MachineThreads::tryCopyOtherThreadStack.
2850         <https://webkit.org/b/141672>
2851
2852         Reviewed by Alexey Proskuryakov.
2853
2854         ASan does not like the fact that we memcpy the stack for GC scans.  So,
2855         we're working around this by using our own memcpy (asanUnsafeMemcpy)
2856         implementation that we can tell ASan to ignore.
2857
2858         * heap/MachineStackMarker.cpp:
2859         (JSC::asanUnsafeMemcpy):
2860
2861 2015-02-25  Benjamin Poulain  <bpoulain@apple.com>
2862
2863         CodeBlock crashes when dumping op_push_name_scope
2864         https://bugs.webkit.org/show_bug.cgi?id=141953
2865
2866         Reviewed by Filip Pizlo and Csaba Osztrogonác.
2867
2868         * bytecode/CodeBlock.cpp:
2869         (JSC::CodeBlock::dumpBytecode):
2870         * tests/stress/op-push-name-scope-crashes-profiler.js: Added.
2871
2872 2015-02-25  Benjamin Poulain  <benjamin@webkit.org>
2873
2874         Make ParserError immutable by design
2875         https://bugs.webkit.org/show_bug.cgi?id=141955
2876
2877         Reviewed by Geoffrey Garen.
2878
2879         This patch enforce that no field of ParserError can
2880         be modified after the constructor.
2881
2882         * parser/ParserError.h:
2883         Move the attributes to pack the integer + 2 bytes together.
2884         This is irrelevant for memory impact, it is to remve a load-store
2885         when copying by value.
2886
2887         Also move the attributes to be private.
2888
2889         (JSC::ParserError::isValid):
2890         To client of the interface cared about the type of the error,
2891         the only information needed was: is there an error.
2892
2893         (JSC::ParserError::ParserError):
2894         (JSC::ParserError::syntaxErrorType):
2895         (JSC::ParserError::token):
2896         (JSC::ParserError::message):
2897         (JSC::ParserError::line):
2898         (JSC::ParserError::toErrorObject):
2899         * API/JSScriptRef.cpp:
2900         * builtins/BuiltinExecutables.cpp:
2901         (JSC::BuiltinExecutables::createBuiltinExecutable):
2902         * bytecode/UnlinkedCodeBlock.cpp:
2903         (JSC::generateFunctionCodeBlock):
2904         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
2905         (JSC::UnlinkedFunctionExecutable::codeBlockFor):
2906         * bytecode/UnlinkedCodeBlock.h:
2907         * inspector/agents/InspectorRuntimeAgent.cpp:
2908         (Inspector::InspectorRuntimeAgent::parse):
2909         * jsc.cpp:
2910         (runInteractive):
2911         * parser/Parser.h:
2912         (JSC::parse):
2913         * runtime/CodeCache.cpp:
2914         (JSC::CodeCache::getGlobalCodeBlock):
2915         (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2916         * runtime/CodeCache.h:
2917         * runtime/Completion.h:
2918         * runtime/Executable.cpp:
2919         (JSC::ProgramExecutable::checkSyntax):
2920         * runtime/JSGlobalObject.cpp:
2921         (JSC::JSGlobalObject::createProgramCodeBlock):
2922         (JSC::JSGlobalObject::createEvalCodeBlock):
2923
2924 2015-02-25  Filip Pizlo  <fpizlo@apple.com>
2925
2926         Need to pass RTLD_DEEPBIND to dlopen() to ensure that our LLVMOverrides take effect on Linux
2927         https://bugs.webkit.org/show_bug.cgi?id=142006
2928
2929         Reviewed by Csaba Osztrogonác.
2930
2931         This fixes hard-to-reproduce concurrency-related crashes when running stress tests with FTL and
2932         concurrent JIT enabled.
2933
2934         * llvm/InitializeLLVMPOSIX.cpp:
2935         (JSC::initializeLLVMPOSIX):
2936
2937 2015-02-24  Filip Pizlo  <fpizlo@apple.com>
2938
2939         CMake build of libllvmForJSC.so should limit its export list like the Xcode build does
2940         https://bugs.webkit.org/show_bug.cgi?id=141989
2941
2942         Reviewed by Gyuyoung Kim.
2943
2944         * CMakeLists.txt:
2945         * llvm/library/libllvmForJSC.version: Added.
2946
2947 2015-02-24  Alexey Proskuryakov  <ap@apple.com>
2948
2949         More iOS build fix after r180602.
2950
2951         * heap/Heap.h: Export Heap::machineThreads().
2952
2953 2015-02-24  Brent Fulgham  <bfulgham@apple.com>
2954
2955         Unreviewed build fix after r180602.
2956
2957         * heap/MachineStackMarker.h: Add missing 'no return'
2958         declaration for Windows.
2959
2960 2015-02-24  Commit Queue  <commit-queue@webkit.org>
2961
2962         Unreviewed, rolling out r180599.
2963         https://bugs.webkit.org/show_bug.cgi?id=141998
2964
2965         Lots of new test failures (Requested by smfr on #webkit).
2966
2967         Reverted changeset:
2968
2969         "Parsing support for -webkit-trailing-word"
2970         https://bugs.webkit.org/show_bug.cgi?id=141939
2971         http://trac.webkit.org/changeset/180599
2972
2973 2015-02-24  Mark Lam  <mark.lam@apple.com>
2974
2975         MachineThreads::Thread clean up has a use after free race condition.
2976         <https://webkit.org/b/141990>
2977
2978         Reviewed by Michael Saboff.
2979
2980         MachineThreads::Thread clean up relies on the clean up mechanism
2981         implemented in _pthread_tsd_cleanup_key(), which looks like this:
2982
2983         void _pthread_tsd_cleanup_key(pthread_t self, pthread_key_t key)
2984         {
2985             void (*destructor)(void *);
2986             if (_pthread_key_get_destructor(key, &destructor)) {
2987                 void **ptr = &self->tsd[key];
2988                 void *value = *ptr;
2989
2990                 // At this point, this thread has cached "destructor" and "value"
2991                 // (which is a MachineThreads*).  If the VM gets destructed (along
2992                 // with its MachineThreads registry) by another thread, then this
2993                 // thread will have no way of knowing that the MachineThreads* is
2994                 // now pointing to freed memory.  Calling the destructor below will
2995                 // therefore result in a use after free scenario when it tries to
2996                 // access the MachineThreads' data members.
2997
2998                 if (value) {
2999                     *ptr = NULL;
3000                     if (destructor) {
3001                         destructor(value);
3002                     }
3003                 }
3004             }
3005         }
3006
3007         The solution is simply to change MachineThreads from a per VM thread
3008         registry to a process global singleton thread registry i.e. the
3009         MachineThreads registry is now immortal and we cannot have a use after
3010         free scenario since we never free it.
3011
3012         The cost of this change is that all VM instances will have to scan
3013         stacks of all threads ever touched by a VM, and not just those that
3014         touched a specific VM.  However, stacks tend to be shallow.  Hence,
3015         those additional scans will tend to be cheap.
3016
3017         Secondly, it is not common for there to be multiple JSC VMs in use
3018         concurrently on multiple threads.  Hence, this cost should rarely
3019         manifest in real world applications.
3020
3021         * heap/Heap.cpp:
3022         (JSC::Heap::Heap):
3023         (JSC::Heap::machineThreads):
3024         (JSC::Heap::gatherStackRoots):
3025         * heap/Heap.h:
3026         (JSC::Heap::machineThreads): Deleted.
3027         * heap/MachineStackMarker.cpp:
3028         (JSC::MachineThreads::MachineThreads):
3029         (JSC::MachineThreads::~MachineThreads):
3030         (JSC::MachineThreads::addCurrentThread):
3031         * heap/MachineStackMarker.h:
3032         * runtime/JSLock.cpp:
3033         (JSC::JSLock::didAcquireLock):
3034
3035 2015-02-24  Myles C. Maxfield  <mmaxfield@apple.com>
3036
3037         [Mac] [iOS] Parsing support for -apple-trailing-word
3038         https://bugs.webkit.org/show_bug.cgi?id=141939
3039
3040         Reviewed by Andreas Kling.
3041
3042         * Configurations/FeatureDefines.xcconfig:
3043
3044 2015-02-24  Ryosuke Niwa  <rniwa@webkit.org>
3045
3046         Use "this" instead of "callee" to get the constructor
3047         https://bugs.webkit.org/show_bug.cgi?id=141019
3048
3049         Reviewed by Filip Pizlo.
3050
3051         This patch uses "this" register to pass the constructor (newTarget) to op_create_this from
3052         op_construct or op_construct_varargs. This will allow future patches that implement ES6 class
3053         to pass in the most derived class' constructor through "this" argument.
3054
3055         BytecodeGenerator's emitConstruct and emitConstructVarargs now passes thisRegister like
3056         regular calls and emitCreateThis passes in this register to op_create_this as constructor.
3057
3058         The rest of the code change removes the code for special casing "this" register not being used
3059         in call to construct.
3060
3061         * bytecode/BytecodeUseDef.h:
3062         (JSC::computeUsesForBytecodeOffset):
3063         * bytecompiler/BytecodeGenerator.cpp:
3064         (JSC::BytecodeGenerator::emitCreateThis):
3065         (JSC::BytecodeGenerator::emitConstructVarargs):
3066         (JSC::BytecodeGenerator::emitConstruct):
3067         * bytecompiler/BytecodeGenerator.h:
3068         * bytecompiler/NodesCodegen.cpp:
3069         (JSC::NewExprNode::emitBytecode):
3070         * dfg/DFGByteCodeParser.cpp:
3071         (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
3072         (JSC::DFG::ByteCodeParser::handleVarargsCall):
3073         (JSC::DFG::ByteCodeParser::emitArgumentPhantoms):
3074         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
3075         (JSC::DFG::ByteCodeParser::handleInlining):
3076         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
3077         (JSC::DFG::ByteCodeParser::parseBlock):
3078         * dfg/DFGJITCode.cpp:
3079         (JSC::DFG::JITCode::reconstruct):
3080         * dfg/DFGSpeculativeJIT32_64.cpp:
3081         (JSC::DFG::SpeculativeJIT::emitCall):
3082         * dfg/DFGSpeculativeJIT64.cpp:
3083         (JSC::DFG::SpeculativeJIT::emitCall):
3084         * ftl/FTLJSCallVarargs.cpp:
3085         (JSC::FTL::JSCallVarargs::emit):
3086         * ftl/FTLLowerDFGToLLVM.cpp:
3087         (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
3088         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
3089         (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
3090         * interpreter/Interpreter.cpp:
3091         (JSC::Interpreter::executeConstruct):
3092         * jit/JITOperations.cpp:
3093
3094 2015-02-24  Joseph Pecoraro  <pecoraro@apple.com>
3095
3096         Web Inspector: Make Getter/Setter RemoteObject property and ObjectPreview handling consistent
3097         https://bugs.webkit.org/show_bug.cgi?id=141587
3098
3099         Reviewed by Timothy Hatcher.
3100
3101         Convert getProperties(ownAndGetterProperties) to getDisplayableProperties().
3102         Mark PropertyDescriptors that are presumed to be native getters / bindings
3103         separately so that the frontend may display them differently.
3104
3105         * inspector/InjectedScript.cpp:
3106         (Inspector::InjectedScript::getProperties):
3107         (Inspector::InjectedScript::getDisplayableProperties):
3108         * inspector/InjectedScript.h:
3109         * inspector/InjectedScriptSource.js:
3110         * inspector/agents/InspectorRuntimeAgent.cpp:
3111         (Inspector::InspectorRuntimeAgent::getProperties):
3112         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
3113         * inspector/agents/InspectorRuntimeAgent.h:
3114         * inspector/protocol/Runtime.json:
3115
3116 2015-02-24  Mark Lam  <mark.lam@apple.com>
3117
3118         Rolling out r179753.  The fix was invalid.
3119         <https://webkit.org/b/141990>
3120
3121         Not reviewed.
3122
3123         * API/tests/testapi.mm:
3124         (threadMain):
3125         (useVMFromOtherThread): Deleted.
3126         (useVMFromOtherThreadAndOutliveVM): Deleted.
3127         * heap/Heap.cpp:
3128         (JSC::Heap::Heap):
3129         (JSC::Heap::~Heap):
3130         (JSC::Heap::gatherStackRoots):
3131         * heap/Heap.h:
3132         (JSC::Heap::machineThreads):
3133         * heap/MachineStackMarker.cpp:
3134         (JSC::MachineThreads::Thread::Thread):
3135         (JSC::MachineThreads::MachineThreads):
3136         (JSC::MachineThreads::~MachineThreads):
3137         (JSC::MachineThreads::addCurrentThread):
3138         (JSC::MachineThreads::removeThread):
3139         (JSC::MachineThreads::removeCurrentThread):
3140         * heap/MachineStackMarker.h:
3141
3142 2015-02-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3143
3144         Constructor returning null should construct an object instead of null
3145         https://bugs.webkit.org/show_bug.cgi?id=141640
3146
3147         Reviewed by Filip Pizlo.
3148
3149         When constructor code doesn't return object, constructor should return `this` object instead.
3150         Since we used `op_is_object` for this check and `op_is_object` is intended to be used for `typeof`,
3151         it allows `null` as an object.
3152         This patch fixes it by introducing an new bytecode `op_is_object_or_null` for `typeof` use cases.
3153         Instead, constructor uses simplified `is_object`.
3154
3155         As a result, `op_is_object` becomes fairly simple. So we introduce optimization for `op_is_object`.
3156
3157         1. LLInt and baseline JIT support `op_is_object` as a fast path.
3158         2. DFG abstract interpreter support `op_is_object`. And recognize its speculated type and read-write effects.
3159         3. DFG introduces inlined asm for `op_is_object` rather than calling a C++ function.
3160         4. FTL lowers DFG's IsObject into LLVM IR.
3161
3162         And at the same time, this patch fixes isString / isObject predicate used for `op_is_object` and others
3163         in LLInt, JIT, DFG and FTL.
3164         Before introducing ES6 Symbol, JSCell is only used for object and string in user observable area.
3165         So in many places, when the cell is not object, we recognize it as a string, and vice versa.
3166         However, now ES6 Symbol is implemented as a JSCell, this assumption is broken.
3167         So this patch stop using !isString as isObject.
3168         To check whether a cell is an object, instead of seeing that structure ID of a cell is not stringStructure,
3169         we examine typeInfo in JSCell.
3170
3171         * JavaScriptCore.order:
3172         * bytecode/BytecodeList.json:
3173         * bytecode/BytecodeUseDef.h:
3174         (JSC::computeUsesForBytecodeOffset):
3175         (JSC::computeDefsForBytecodeOffset):
3176         * bytecode/CodeBlock.cpp:
3177         (JSC::CodeBlock::dumpBytecode):
3178         * bytecode/PutByIdStatus.cpp:
3179         (JSC::PutByIdStatus::computeFor):
3180         * bytecompiler/BytecodeGenerator.cpp:
3181         (JSC::BytecodeGenerator::emitEqualityOp):
3182         (JSC::BytecodeGenerator::emitReturn):
3183         * dfg/DFGAbstractInterpreterInlines.h:
3184         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3185         * dfg/DFGByteCodeParser.cpp:
3186         (JSC::DFG::ByteCodeParser::parseBlock):
3187         * dfg/DFGCapabilities.cpp:
3188         (JSC::DFG::capabilityLevel):
3189         * dfg/DFGClobberize.h:
3190         (JSC::DFG::clobberize):
3191
3192         IsObject operation only touches JSCell typeInfoType.
3193         And this value would be changed through structure transition.
3194         As a result, IsObject can report that it doesn't read any information.
3195
3196         * dfg/DFGConstantFoldingPhase.cpp:
3197         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3198         * dfg/DFGDoesGC.cpp:
3199         (JSC::DFG::doesGC):
3200         * dfg/DFGFixupPhase.cpp:
3201         (JSC::DFG::FixupPhase::fixupNode):
3202
3203         Just like IsString, IsObject is also fixed up.
3204
3205         * dfg/DFGHeapLocation.cpp:
3206         (WTF::printInternal):
3207         * dfg/DFGHeapLocation.h:
3208         * dfg/DFGNodeType.h:
3209         * dfg/DFGOperations.cpp:
3210         * dfg/DFGOperations.h:
3211         * dfg/DFGPredictionPropagationPhase.cpp:
3212         (JSC::DFG::PredictionPropagationPhase::propagate):
3213         * dfg/DFGSafeToExecute.h:
3214         (JSC::DFG::safeToExecute):
3215         * dfg/DFGSpeculativeJIT.cpp:
3216         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
3217         (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
3218         (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
3219         (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
3220         (JSC::DFG::SpeculativeJIT::speculateObject):
3221         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
3222         (JSC::DFG::SpeculativeJIT::speculateString):
3223         (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
3224         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
3225         (JSC::DFG::SpeculativeJIT::emitSwitchString):
3226         (JSC::DFG::SpeculativeJIT::branchIsObject):
3227         (JSC::DFG::SpeculativeJIT::branchNotObject):
3228         (JSC::DFG::SpeculativeJIT::branchIsString):
3229         (JSC::DFG::SpeculativeJIT::branchNotString):
3230         * dfg/DFGSpeculativeJIT.h:
3231         * dfg/DFGSpeculativeJIT32_64.cpp:
3232         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
3233         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
3234         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
3235         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
3236         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
3237         (JSC::DFG::SpeculativeJIT::compile):
3238         * dfg/DFGSpeculativeJIT64.cpp:
3239         (JSC::DFG::SpeculativeJIT::compileObjectEquality):
3240         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
3241         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
3242         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
3243         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
3244         (JSC::DFG::SpeculativeJIT::compile):
3245         * ftl/FTLCapabilities.cpp:
3246         (JSC::FTL::canCompile):
3247         * ftl/FTLLowerDFGToLLVM.cpp:
3248         (JSC::FTL::LowerDFGToLLVM::compileNode):
3249         (JSC::FTL::LowerDFGToLLVM::compileToString):
3250         (JSC::FTL::LowerDFGToLLVM::compileIsObject):
3251         (JSC::FTL::LowerDFGToLLVM::compileIsObjectOrNull):
3252         (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
3253         (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
3254         (JSC::FTL::LowerDFGToLLVM::isObject):
3255         (JSC::FTL::LowerDFGToLLVM::isNotObject):
3256         (JSC::FTL::LowerDFGToLLVM::isNotString):
3257         (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
3258         * jit/JIT.cpp:
3259         (JSC::JIT::privateCompileMainPass):
3260         * jit/JIT.h:
3261         * jit/JITInlines.h:
3262         (JSC::JIT::emitJumpIfCellObject):
3263         * jit/JITOpcodes.cpp:
3264         (JSC::JIT::emit_op_is_object):
3265         (JSC::JIT::emit_op_to_primitive):
3266         * jit/JITOpcodes32_64.cpp:
3267         (JSC::JIT::emit_op_is_object):
3268         (JSC::JIT::emit_op_to_primitive):
3269         (JSC::JIT::compileOpStrictEq):
3270         * llint/LowLevelInterpreter.asm:
3271         * llint/LowLevelInterpreter32_64.asm:
3272         * llint/LowLevelInterpreter64.asm:
3273         * runtime/CommonSlowPaths.cpp:
3274         (JSC::SLOW_PATH_DECL):
3275         * runtime/CommonSlowPaths.h:
3276         * runtime/Operations.cpp:
3277         (JSC::jsIsObjectTypeOrNull):
3278         (JSC::jsIsObjectType): Deleted.
3279         * runtime/Operations.h:
3280         * tests/stress/constructor-with-return.js: Added.
3281         (Test):
3282
3283         When constructor doesn't return an object, `this` should be returned instead.
3284         In this test, we check all primitives. And test object, array and wrappers.
3285
3286         * tests/stress/dfg-to-primitive-pass-symbol.js: Added.
3287         (toPrimitiveTarget):
3288         (doToPrimitive):
3289
3290         op_to_primitive operation passes Symbol in fast path.
3291
3292 2015-02-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3293
3294         REGRESSION(r179429): Can't type comments in Facebook
3295         https://bugs.webkit.org/show_bug.cgi?id=141859
3296
3297         Reviewed by Brent Fulgham.
3298
3299         When window.Symbol is exposed to user-space pages,
3300         Facebook's JavaScript use it (maybe, for immutable-js and React.js's unique key).
3301         However, to work with Symbols completely, it also requires
3302         1) Object.getOwnPropertySymbols (for mixin including Symbols)
3303         2) the latest ES6 Iterator interface that uses Iterator.next and it returns { done: boolean, value: value }.
3304         Since they are not landed yet, comments in Facebook don't work.
3305
3306         This patch introduces RuntimeFlags for JavaScriptCore.
3307         Specifying SymbolEnabled flag under test runner and inspector to continue to work with Symbol.
3308         And drop JavaScriptExperimentsEnabled flag
3309         because it is no longer used and use case of this is duplicated to runtime flags.
3310
3311         * JavaScriptCore.order:
3312         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3313         * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3314         * JavaScriptCore.xcodeproj/project.pbxproj:
3315         * jsc.cpp:
3316         (GlobalObject::javaScriptRuntimeFlags):
3317         (GlobalObject::javaScriptExperimentsEnabled): Deleted.
3318         * runtime/JSGlobalObject.cpp:
3319         (JSC::JSGlobalObject::JSGlobalObject):
3320         (JSC::JSGlobalObject::init):
3321         * runtime/JSGlobalObject.h:
3322         (JSC::JSGlobalObject::finishCreation):
3323         (JSC::JSGlobalObject::javaScriptRuntimeFlags):
3324         (JSC::JSGlobalObject::javaScriptExperimentsEnabled): Deleted.
3325         * runtime/RuntimeFlags.h: Added.
3326         (JSC::RuntimeFlags::RuntimeFlags):
3327         (JSC::RuntimeFlags::createAllEnabled):
3328
3329 2015-02-23  Filip Pizlo  <fpizlo@apple.com>
3330
3331         Our bizarre behavior on Arguments::defineOwnProperty should be deliberate rather than a spaghetti incident
3332         https://bugs.webkit.org/show_bug.cgi?id=141951
3333
3334         Reviewed by Benjamin Poulain.
3335         
3336         This patch has no behavioral change, but it simplifies a bunch of wrong code. The code is
3337         still wrong in exactly the same way, but at least it's obvious what's going on. The wrongness
3338         is covered by this bug: https://bugs.webkit.org/show_bug.cgi?id=141952.
3339
3340         * runtime/Arguments.cpp:
3341         (JSC::Arguments::copyBackingStore): We should only see the arguments token; assert otherwise. This works because if the GC sees the butterfly token it calls the JSObject::copyBackingStore method directly.
3342         (JSC::Arguments::defineOwnProperty): Make our bizarre behavior deliberate rather than an accident of a decade of patches.
3343         * tests/stress/arguments-bizarre-behavior.js: Added.
3344         (foo):
3345         * tests/stress/arguments-bizarre-behaviour-disable-enumerability.js: Added. My choice of spellings of the word "behavio[u]r" is almost as consistent as our implementation of arguments.
3346         (foo):
3347         * tests/stress/arguments-custom-properties-gc.js: Added. I added this test because at first I was unsure if we GCd arguments correctly.
3348         (makeBaseArguments):
3349         (makeArray):
3350         (cons):
3351
3352 2015-02-23  Commit Queue  <commit-queue@webkit.org>
3353
3354         Unreviewed, rolling out r180547 and r180550.
3355         https://bugs.webkit.org/show_bug.cgi?id=141957
3356
3357         Broke 10 Windows tests. (Requested by bfulgham_ on #webkit).
3358